HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Incidents Reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada

Three email incidents have recently been reported by Ultimate Care, CareOregon Advantage, and University Medical Center Southern Nevada that have affected a total of 38,485 individuals.

Phishing Attack on Ultimate Care Impacts 15,788 Individuals

The Brooklyn, NY-based home care agency, Ultimate Care, has recently announced that a limited number of employee email accounts have been accessed by unauthorized individuals after employees responded to phishing emails. When the security breach was detected, rapid action was taken to secure its email environment and a forensic investigation was launched to determine the scope of the breach.

The forensic investigation revealed the email accounts were accessed by unauthorized individuals between April 7, 2021, and June 2, 2021. A manual review of all emails in the accounts confirmed they contained names, along with one or more of the following types of information: Social Security numbers, driver’s license numbers, passport numbers, dates of birth, financial account information, credit or debit card information, medical information, health insurance policy information, and/or usernames and passwords.

Ultimate Care said no reports have been received that indicate there has been any misuse of patient information; however, as a precaution against identity theft and fraud, individuals whose Social Security numbers were impacted have been offered complimentary one-year memberships with a credit monitoring service. Notification letters were sent to affected individuals on February 22, 2022.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach was reported to the HHS’ Office for Civil Rights as affecting 15,788 individuals.

University Medical Center Southern Nevada Patients Affected by Business Associate Email Breach

University Medical Center Southern Nevada (UMC) has recently confirmed the protected health information of 12,230 patients was potentially compromised in a cyberattack at one of its business associates: The healthcare software provider Advent Health Partners (AHA).

AHA discovered the email breach in early September 2021 and determined on December 2, 2021, that files containing the protected health information of its healthcare provider clients had been accessed. The files contained first and last names, Social Security numbers, drivers’ license information, dates of birth, health insurance information, medical treatment information, and financial account information. AHA provided notice about the attack on January 6, 2021. The breach was reported by Advent Health Partners as affecting 1,383 individuals, but some of its clients, including UMC, reported the breach themselves.

This is the third data breach to be reported by UMC in the past 18 months. UMC was a victim of a REvil ransomware attack in June 2021 that resulted in the theft of the protected health information of 1.3 million individuals, and in March 2021, UMC reported an unauthorized access/disclosure incident affecting 1,833 individuals.

Misdirected Email Exposed the PHI of CareOregon Advantage Members

The Portland, OR-based health insurance agency, CareOregon Advantage, has started notifying 10,467 plan members about an impermissible disclosure of some of their protected health information. On January 27, 2022, an email containing an attachment with plan member data was sent to a contracted consultant in error.

The consultant immediately notified CareOregon Advantage about the error and permanently deleted the email and attachment. The attached file contained information such as member names, ID numbers, Medicare/Medicaid numbers, and dates of birth. CareOregon Advantage believes the risk of misuse of member data is low.

CareOregon Advantage said its investigation confirmed that it has the correct policies and procedures in place to address these types of incidents and those policies and procedures are reviewed annually. The employee who sent the email has received additional training.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.