Five Rivers Health Centers Phishing Attack Affects Almost 156,000 Patients

Ohio-based Five Rivers Health Centers has notified 155,748 patients that some of their protected health information was stored in email accounts that have been accessed by an unauthorized individual following a phishing attack.

It is unclear when the breach was discovered, but Five Rivers Health Centers reports that following an extensive forensic investigation into the cyberattack and a manual document review, it discovered on March 31, 2021, that the breached email accounts contained patients’ personal and health information.

The forensic investigation confirmed that the email accounts had been breached between April 1, 2020, and June 2, 2020. Notification letters were sent to affected patients on May 28, 2021 – More than a year after the first email accounts were breached.

The types of protected health information in emails and attachments varied from patient to patient and may have included one or more of the following data elements:  Name, address, date of birth, medical record number, patient account number, diagnoses, treatment and/or clinical information, test results, lab test reports, provider name, dates of service, treatment cost information, prescription information, health insurance information, and Medicaid or Medicare numbers.

A limited number of individuals also had their financial account number, payment card numbers, driver’s license number, state identification number, and/or Social Security number exposed. A 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security number was exposed.

Following the attack, policies and procedures have been reviewed and updated, 2-factor authentication has been implemented, and employees have been provided with further cybersecurity training.

Cancer Centers of Southwest Oklahoma Breach Affects 8,000 Patients

Cancer Centers of Southwest Oklahoma (CCSO) has discovered the protected health information of 8,000 patients was potentially compromised in a cyberattack on one of its business associates. CCSO used a 1st generation cloud-based storage system provided by Elekta Inc., which was breached earlier this year.

Elekta hired third-party cybersecurity experts to investigate the security breach and confirmed on April 28, 2021, that the breached systems included the protected health information of CCSO patients. While it was not possible to determine what information was accessed or exfiltrated by the attackers, Elekta concluded that all information in the system had been exposed and must be considered compromised. The cloud-based storage system remains offline while the forensic investigation continues.

CCSO said in its substitute breach notification letter that the following types of information were stored in the system and may have been accessed or stolen: Name, Social Security number, address, date of birth, height, weight, medical diagnosis, medical treatment details and appointment confirmations.

Elekta is offering complimentary access to identity monitoring, fraud consultation, and identity theft restoration services to affected individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.