Email Breaches Reported by Eastern Los Angeles Regional Center & Mercy Grace Private Practice

Share this article on:

Eastern Los Angeles Regional Center has discovered the email account of an employee has been accessed by an unauthorized individual. Suspicious activity was detected in the email account on July 15, 2021. A password reset was performed to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the breach.

It was confirmed that the account was accessed for a limited period of time on July 15, 2021 and that the email account contained the protected health information of 12,921 individuals, including first and last names, Social Security numbers, ELARC-issued client identifier numbers, Tax ID numbers, medical histories, treatment or diagnosis information, and health insurance information.

Eastern Los Angeles Regional Center said it found no evidence to suggest any information in the email account was exfiltrated or subjected to actual or attempted misuse.

Additional technical safeguards have been implemented to further enhance the security of sensitive information and affected individuals have been offered 12 months of complimentary credit monitoring services through Kroll.

Mercy Grace Private Practice Notifies 4,450 Patients About Data Breach

On August 30, 2021, Mercy Grace Private Practice in Gilbert, AZ notified 4,450 patients about a business email compromise attack in December 2020 involving a fraudulent wire transfer.

A third-party computer forensics firm was engaged to perform a comprehensive analysis of its entire email environment. That investigation confirmed that two employee email accounts had been compromised.

A review of the two email accounts confirmed they contained patient data such as names, Social Security numbers, driver’s license numbers, state identification numbers, financial account information, and limited health information.  The purpose of the attack appears to have been to defraud the practice rather than obtain patient data. Mercy Grace Private Practice is unaware of any actual or attempted misuse of patient data as a result of the security breach.

In response to the breach, security protocols have been enhanced and further cybersecurity training has been provided to employees.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On