Email Security Breaches Reported by Hopebridge (IN) and United Methodist Homes (NY)

Hopebridge, an Indiana-based network of 28 autism treatment centers throughout the Midwest, has discovered it has been the victim of a phishing attack that has potentially resulted in an unauthorized individual gaining access to the protected health information (PHI) of its patients.

A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker.

The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis.

The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead the attacks appear to have been an attempt to gain access to employees’ financial information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,411 patients have been impacted by the incident. Hopebridge says there is no indication that any patient information has been misused.

The breach has prompted Hopebridge to implement stronger access controls, IP address whitelisting, and 2-factor authentication on email accounts. Hopebridge is also now masking patient names on internal emails and reports

Former Employee Stole Information of United Methodist Homes Residents

United Methodist Homes, a network of Independent and Assisted Living facilities for seniors in New York, has discovered an employee stole the protected health information of some of its current and former residents.

A spreadsheet containing information on 843 current and former residents of its Elizabeth Church and Hilltop campuses was emailed to the employee’s personal email account. The spreadsheet contained information such as residents’ names, addresses, phone numbers for residents’ contact person(s) and the relationship of those individuals to the residents. No highly sensitive information such as financial data, health data, health insurance information, or Social Security numbers were recorded in the spreadsheet.

Following the discovery of the incident on July 13, 2018, the employee was questioned, and United Methodist Homes observed the employee deleting the email and spreadsheet from his personal email account. The individual is no longer employed by United Methodist Homes.

Even though the information in the spreadsheet was extremely limited, United Methodist Homes has offered complimentary credit monitoring services to affected individuals for 12 months.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.