Email Data Breaches Announced by 4 U.S. Healthcare Orgs
Unauthorized individuals have gained access to employee email accounts at four healthcare organizations over the summer, resulting in HIPAA email compliance breaches: HealthFund Solutions in Florida, Option Care Health in Illinois, and Liberty Endo and Numotion in New York.
HealthFund Solutions
HealthFund Solutions, LLC, a Florida-based health insurance solutions company, has discovered unauthorized access to an employee’s email account. The email account breach was detected on August 14, 2024, and after securing the account, a third-party digital forensics firm was engaged to investigate the incident. The investigation confirmed that unauthorized access was limited to a single email account, and on September 16, 2024, it was determined that the email account contained the protected health information of 5,198 individuals.
Information compromised in the incident included names, addresses, dates of birth, Social Security numbers, medical information, and health insurance information. Notification letters were mailed to the affected individuals on November 15, 2024. While there has been no known misuse of the affected information, individuals have been reminded to carefully check their financial account statements and explanation of benefits statements for signs of fraudulent activity,
Option Care Health
Option Care Health, a Bannockburn, IL-based provider of infusion therapy services, has notified 2,897 patients about the exposure of some of their protected health information in a recent security incident. Security tools identified suspicious activity in an employee’s inbox on July 31, 2024, and terminated access. Option Care Health learned about the incident on August 1, 2024, and launched a forensic investigation which confirmed that an unauthorized third party had access to the account for a for a short period on July 31, 2024.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The account was reviewed, and on September 16, 2024, it was determined patients’ protected health information had been exposed. The notification letter to the California Attorney General does not state the types of data involved, but that information is detailed in each of the individual notification letters. Complimentary credit monitoring and identity theft protection services have been offered through Kroll.
Liberty Endo
Liberty Endo, a New York-based provider of endoscopy services, has identified unauthorized access to an employee’s email account. The forensic investigation confirmed that an unauthorized third party had access to the account from July 3, 2024, to August 26, 2024, and during that time may have viewed and copied emails and attachments.
The review of the account was completed on October 24 and confirmed it contained the protected health information of 942 patients, including names, addresses, phone numbers, email addresses, dates of birth, patient ID numbers, medical records numbers, Medicare/ Medicaid ID numbers, health insurance plan/policy numbers, diagnosis/treatment information, dates of service, treatment costs, and healthcare provider names. While there has been no known misuse of the affected data, Liberty Endo is offering credit monitoring and identity protection services to the affected individuals as a precaution.
United Seating and Mobility (Numotion)
United Seating and Mobility, dba Numotion, has discovered unauthorized access to multiple employee email accounts. Suspicious email account activity was detected on or around September 6, 2024, and the forensic investigation revealed certain email accounts had been accessed by an unauthorized third party from August 23, 2024, to September 6, 2024.
On October 14, 2024, it was confirmed that some of the emails contained patient information such as names, driver’s license numbers, Social Security numbers, dates of birth, tax identification numbers, financial account numbers, health insurance information, and/or medical information. The breach was recently reported to the HHS- Office for Civil Rights as involving the protected health information of 2,319 individuals.
Numotion said there is no reason to believe that unauthorized individuals were specifically looking to access personal information in the accounts. Individual notification letters have now been mailed to the affected individuals and complimentary identity theft protection services have been offered to individuals whose Social Security numbers were involved. This is the second data breach to be reported by Numotion this year. In June, the company announced that it had fallen victim to a ransomware attack in February 2024 that affected 602,265 individuals.
