Email Data Breaches Reported by UofL Health and Jawonio

UofL Health has started notifying 42,465 patients that some of their protected health information (PHI) was sent to an incorrect external email address.

The Louisville, KY healthcare system sent notification letters to affected patients on June 7, 2021 advising them about the exposure of some of their PHI. UofL Health was contacted the following day by the owner of the external domain and was provided with technical evidence that showed the emails had not been viewed by anyone and had been permanently deleted.

Some patients whose PHI was exposed were offered complimentary identity theft protection services. While it has now been confirmed that PHI had not been viewed and is no longer accessible, UofL Health said any patient who was offered identity theft protection services will still be able to sign up for them free of charge.

“We are relieved that our patients’ information is not at risk as a result of this incident, though we wish that information would have come to us sooner,” said UofL Health in a website notice to its patients. UofL Health did not state in its breach notice what information was in the emails.

Jawonio Notifies 13,313 Patients About Email Account Breach

Jawonio, a provider of lifespan services for individuals with developmental disabilities, behavioral health challenges, and chronic medical conditions in the Mid​-Hudson Region of New York, has discovered its email environment has been accessed by an unauthorized individual.

Suspicious activity was detected in its email environment on April 20, 2020. Steps were immediately taken to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the security breach. Assisted by third-party cybersecurity experts, Jawonio learned on November 24, 2020 that the personal and protected health information of 13,313 individuals had potentially been compromised.

The affected email accounts were reviewed and discovered to include names, dates of birth, medical record numbers, Social Security numbers, medical condition information, treatment information, government issued identification numbers, health insurance information, and financial account information.

While PHI was potentially viewed, no evidence was found to indicate that information has been misused. Individuals affected by the security breach have been provided with complimentary credit monitoring and identity protection services. The delay in issuing breach notification letters was due to the lengthy process of identifying current mailing addresses for affected individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.