Share this article on:
Two HIPAA-covered entities have recently disclosed they have been victims of phishing attacks that have potentially resulted in the exposure of patients’ protected health information (PHI).
Further Phishing Attack Reported by Florida Agency for Persons with Disabilities
The Florida Agency for Persons with Disabilities (FAPD), which provides support services for people with disabilities such as autism, cerebral palsy, spina bifida, and Downs syndrome, has experienced another phishing attack
The phishing attack occurred on April 10, 2018 and was limited to a single email account; however, that account contained the PHI of 1,951 customers or guardians.
While no evidence was uncovered to suggest any PHI was viewed or copied by the attacker, PHI access could not be ruled out with 100% certainty. The compromised email account contained information such as names, birth dates, addresses, telephone numbers, health information, and Social Security numbers.
All patients have now been notified of the breach and have been offered credit monitoring services for a year without charge.
Three days after the attack, FAPD implemented a security upgrade to prevent unauthorized individuals from accessing its email system and further training on email security protocols was provided.
This is not the first phishing attack to be reported by the agency in 2018. In February, a more extensive phishing attack occurred that resulted in multiple email accounts being compromised. That phishing attack affected more than 55,000 customers, whose names, birth dates, and Social Security numbers were potentially compromised.
Following the February attack, FAPD said it had implemented multi-factor authentication to prevent unauthorized accessing of its email accounts and provided further training for employees on email security protocols.
Patients Notified of Black River Medical Center Phishing Attack
Poplar Bluff, MO-based Black River Medical Center is alerting some of its patients that their protected health information has potentially been accessed by an unauthorized individual.
On April 23, 2018, a response to a phishing email allowed a hacker to gain access to the email account of a single employee. The email account contained a limited amount of protected health information, but not financial information or Social Security numbers. The breach was limited to names, addresses, phone numbers, and in some cases, treatment information.
The investigation confirmed that the incident was limited to the email account and no other systems were affected. No evidence was uncovered to suggest any PHI was accessed, obtained, or misused by the attacker.
Patients were notified of the incident on June 13, 2018, and a notice was posted on the healthcare provider’s website. The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights breach portal, so it is currently unclear exactly how many patients have been impacted.