HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Security Breach Impacts 47,000 Covenant Healthcare Patients

Covenant Healthcare in Saginaw, MI has discovered an unauthorized individual gained access to two employee email accounts that contained the protected health information of 47,178 patients. The security breach was identified on December 21, 2020, with the investigation revealing the first email account was compromised on May 4, 2020.

A review of the compromised email accounts revealed they contained the following types of protected health information: Names, addresses, dates of birth, Social Security numbers, driver’s license numbers, medical diagnosis and clinical information, medical treatment information, prescription information, doctors’ names, medical record numbers, patient account numbers, and medical insurance information.

Affected individuals have been advised to place a fraud alert on their accounts and to monitor their account statements for signs of unauthorized activity. Affected individuals do not appear to have been offered complimentary credit monitoring.

“We are committed to keeping your personal information safe and pledge to continually evaluate and modify our practices and internal controls to enhance security and privacy,” explained Covenant Healthcare in its website breach notice.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Fisher-Titus Medical Center – Norwalk, Ohio

An unauthorized individual has gained access to the email account of an employee of Fisher-Titus Medical Center in Norwalk, OH. The email account was first accessed in August 2020 and access remained possible until October 2020 when the breach was discovered and the email account was secured.

The delay in issuing notifications to affected individuals was due to the time taken to investigate the breach. Third-party cybersecurity experts completed their investigation on January 13, 2020 and breach notification letters were sent on February 18, 2021.

The medical center determined the breach included patient names, medical information such as diagnoses, clinical information, health insurance information, Social Security numbers, and credit/debit card numbers. Affected individuals whose Social Security number was potentially compromised have been offered complimentary membership to credit monitoring services for 12 months.

Additional safeguards have now been implemented, including changes to the password policy, enhanced antivirus software, upgrades to external firewalls, and email retention policies have been revised and monitoring enhanced. A new anti-phishing platform has also been implemented.

University Hospital – Newark, New Jersey

University Hospital in Newark, NJ, has discovered an unauthorized individual gained access to its computer network and potentially viewed and exfiltrated patient information. The incident was detected on September 14, 2020, with the system found to have been breached four days previously.

A forensic investigation revealed the attacker potentially gained access to names, addresses, dates of birth, driver’s license numbers, Social Security numbers, state ID numbers, passport numbers, insurance information, financial information, medical record numbers, and some clinical information.

Affected individuals have been offered complimentary membership to identify theft protection and credit monitoring services for 12 months. University Hospital has since taken steps to improve its security protocols to prevent further breaches.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.