HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Healthcare Organizations Report Email Compromises, Hacking Incidents and Other ePHI Exposures

A round-up of data breaches that have recently been reported by healthcare organizations that have involved the exposure or theft of individuals’ personal and protected health information.

Catholic Health Services Reports Breach of Employee Email Accounts

Miami Lakes, FL-based Catholic Health Services has discovered the email accounts of three Catholic Hospice employees have been accessed by unauthorized individuals. Assisted by a third-party computer forensics firm, Catholic Health Services determined on December 1, 2021, that the email accounts contained sensitive data including names, addresses, and one or more of the following data types: demographic information, Social Security numbers, medical information, and treatment history, diagnosis, and other health-related information.

The breach was reported to the HHS’ Office for Civil Rights as affecting 14,986 individuals. Notifications have now been issued and breach victims have been offered complimentary credit monitoring and identity theft protection services, which include a $1, 000,000 identity theft insurance policy.

Crossroads Health Reports Breach of 10,324 Records

Crossroads Health in Ohio has experienced a cyberattack that disrupted some of its IT systems. The security incident was detected on January 18, 2022, with the subsequent investigation confirming unauthorized individuals had access to its systems between November 18, 2021, and January 18, 2022.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Assisted by a third-party computer forensics firm, Crossroads Health determined on January 24, 2022, that the attackers exfiltrated files from a legacy system that included the data of clients of the former behavioral health facility, Beacon Health, that has now merged with Crossroads Health. Those files included information such as names, contact information, dates of birth, Social Security numbers, driver’s license numbers, treatment and diagnosis information, and/or health insurance information.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 10,324 individuals. Patients who had their Social Security numbers and/or driver’s license numbers exposed have been offered complimentary credit monitoring and identity protection services.

Crossroads Health said it has implemented additional technical safeguards to protect against future cyberattacks.

CVS Pharmacy Password Spraying Attack Exposed PHI of 6,221 Individuals

CVS Pharmacy says it was the victim of a password spraying attack that allowed hackers to gain access to certain customer accounts on its retail website, CVS.com. Password spraying is the use of passwords exposed in previous data breaches to try to access other user accounts.

On January 25, 2022, CVS Pharmacy determined certain accounts had been compromised. Those accounts contained information such as first and last names, birth dates, mailing addresses, email addresses, and limited prescription information.

A password reset was performed on all affected accounts and steps have been taken to improve the security of its websites. The breach has been reported to the HHS’ Office for Civil Rights as affecting 6,221 individuals.

Towne Home Care Reports Breach of the PHI of 5,591 Individuals

The New Jersey provider of home care services, Towne Home Care, has recently issued notifications to 5,591 individuals about a cyberattack that was detected and blocked on May 17, 2021, that resulted in protected health information being exposed.

Computer forensics experts were engaged to investigate the security breach and a review was conducted of all files on the affected systems. The investigation did not uncover any evidence to suggest any misuse of patient data; however, as a precaution, complimentary credit monitoring services are being offered to affected individuals.

Fellowship Community Suffers Breach of the PHI of 3,500 Individuals

Bible Fellowship Church Homes, Inc. dba Fellowship Community in Whitehall, PA, has recently announced it was the victim of a cyberattack that was detected on August 6, 2021. Digital forensics experts were engaged to investigate the breach, with the investigation determining unauthorized individuals gained access to its systems on July 31, 2021, and potentially accessed and acquired sensitive information.

A review was conducted of the files on the affected systems and that process was completed on February 1, 2022. Fellowship Community then confirmed contact information and issued notifications. The attackers potentially obtained names, dates of birth, Social Security numbers, financial account numbers, medical information, and/or health insurance information. Fellowship Community found no evidence to suggest there has been any misuse of individuals’ information.

The breach was reported to the HHS’ Office for Civil Rights as affecting 3,500 individuals.

Michigan Medicine Announces Breaches Affecting Over 3,000 Patients

Ann Arbor, MI-based Michigan Medicine has started notifying 2,920 patients about an email account breach. A hacker gained access to the email account of an employee following a response to a phishing email then used the account for further phishing attacks.

A Michigan Medicine spokesperson said the email account was accessed on December 23, 2021, but the unauthorized access was not detected until January 6, 2022, when the employee identified suspicious email activity. A comprehensive review of emails was conducted to determine which patients had their information exposed. That process was completed on February 15, 2022.

The information in the email account varied from patient to patient and included names, addresses, birth dates, medical record numbers, diagnostic and treatment information, and health insurance information. Financial information and Social Security numbers were not exposed.

Michigan Medicine has also notified 269 patients that some of their protected health information was accessed without authorization by a newly hired employee. The breach was detected on January 27, 2022, with the investigation confirming the unauthorized access occurred between January 12, 2022, and January 25, 2022. The incident appears to be a case of snooping. The former employee had links with the local Korean community and the records accessed related to members of that community. The former employee accessed demographic and clinical information, including diagnoses, treatment information, and test results, and was terminated for the HIPAA violation.

Charlotte Radiology Confirms Patient Data Stolen in Cyberattack

Charlotte Radiology in North Carolina has confirmed patient data was stolen in a cyberattack that saw its systems compromised between December 17, 2021, and December 24, 2021.

A forensics firm was engaged to investigate the breach and determine the extent and scope of the incident. The investigation confirmed that files were exfiltrated from its systems that included the protected health information of a limited number of individuals including names, addresses, birth dates, health insurance information, medical record numbers, patient account numbers, physician name(s), date(s) of service, diagnoses and/or treatment information related to radiology services.

Charlotte Radiology says the breach affected a very limited number of patients. Individuals who had their Social Security number exposed or stolen have been offered complimentary credit monitoring services. Steps have since been taken to improve information security, systems, and monitoring capabilities.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.