HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Email Security Breaches Reported by Conway Medical Center and Equinox Inc.

The email accounts of several employees of Conway Medical Center in South Carolina have been accessed by unauthorized individuals.

The phishing attack was detected on October 7, 2019 and affected email accounts were immediately secured to prevent further unauthorized access. External cybersecurity experts were engaged to investigate the breach and determine whether patient information had been viewed or acquired. The investigators determined that the first email accounts were compromised in or before July 2019.

It took until November 20, 2019 for the investigators to confirm that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been accessed. That was largely a manual process.

The way the email accounts were accessed meant emails may have synchronized with the attacker’s computer and could have been automatically downloaded.

Those emails contained names, addresses, Social Security numbers, dates of birth, phone numbers, dates of admission, discharge dates, CMC account numbers, amount owed, and other information. For certain patients, the names, addresses, phone numbers, Social Security numbers, place of employment, and other information related to their guarantors was also potentially acquired.

Steps have now been taken to improve email security and notification letters have been mailed to affected patients. Individuals whose financial data has been exposed have been offered complimentary identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 2,550 patients have been affected by the security breach.

1,021 Clients of Equinox, Inc. Notified of PHI Exposure

Equinox, Inc., an Albany, NY-based provider of services to individuals suffering from chemical dependency, mental health issues, and domestic abuse survivors, has discovered the email accounts of two of its employees have been accessed by unauthorized individuals.

The data security breach was discovered on July 26, 2019 when suspicious activity was detected in its digital environment. Its systems were immediately secured and third-party cybersecurity experts were engaged to investigate the breach. Equinox was informed on August 28, 2019 that two email accounts had been accessed by unauthorized individuals.

The affected email accounts were then reviewed to determine whether they contained any patient information. Equinox was informed on October 9, 2019 that the protected health information of 1,021 current and former clients had potentially been accessed. The email accounts contained names, addresses, Social Security numbers, dates of birth, medical treatment or diagnosis information, health insurance information, and/or medication-related information.

No evidence was found to suggest information in emails and attachments was viewed or acquired and no reports have been received to indicate clients’ information has been misused.

Affected individuals were notified on December 6, 2019 and have been offered complimentary credit monitoring and identity theft protection services. Additional security measures have been implemented to prevent further breaches of this nature in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.