HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed.

PHI of 5,319 Patients of Center for Sight and Hearing Exposed

Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients.

A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication.

2,290 Patients Notified About Harbor Behavioral Health Phishing Attack

Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest Ohio, discovered on February 13, 2019 that an unauthorized individual had gained access to the email account of an employee.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Assisted by a third-party computer forensics firm, Harbor determined that the hacker had access to the account for three months between December 2018 and February 2019 and that a further email account had also been compromised.

In both cases, unauthorized access to the accounts was immediately terminated and the accounts were secured. An analysis of the compromised accounts revealed they contained information such as names, dates of birth, health insurance details, and information related to the services provided by Harbor. The Social Security numbers and driver’s license numbers of a limited number of patients were also exposed. In total, the compromised email accounts contained the PHI of 2,290 patients.

Complimentary credit monitoring and identity theft protection services have been offered to all patients whose Social Security number or driver’s license number was exposed.

In addition to securing the accounts, Harbor has strengthened controls to prevent unauthorized access from external IP addresses, increased log reviews and the frequency of automated alerts, and has strengthened its security processes. Additional training has also been given to employees to help them detect and avoid phishing emails.

1,026 Individuals Impacted by Dakota County Email Account Breach

Dakota County, MN, has discovered the email account of an employee has been hacked and accessed by an unauthorized individual. The email account breach was discovered on February 13, 2019 and the account was immediately secured.

As a precaution, a forced password reset was performed on all employee email accounts to ensure no other accounts could be accessed, although the investigation confirmed that only a single account had been compromised. Third-party cybersecurity consultants were retained to conduct an investigation into the breach and confirmed the account had been accessed. It was not possible to determine whether any emails had been opened or copied.

The compromised account contained information maintained by Dakota County Social Services, including names, addresses, Social Security numbers, driver’s license numbers, health insurance information, medical histories, diagnoses, and treatment information.

Complimentary identity protection services have been offered to individuals affected by the breach and notification letters were sent on April 12, 2019. Dakota County has also strengthened its email security defenses to prevent further attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.