HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

4 Healthcare Providers and Health Plans Report Phishing-Related PHI Breaches

Email accounts containing the protected health information (PHI) of thousands of patients have been compromised at Loyola University Medical Center, Advent Health Partners, Signature Healthcare Brockton Hospital, and Welfare, Pension and Annuity Funds of Local No. ONE, I.A.T.S.E.

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E

Welfare, Pension, and Annuity Funds of Local No. ONE, I.A.T.S.E has recently notified 20,579 individuals about an email security incident that resulted in the exposure of sensitive data. On December 21, 2021, suspicious activity was detected in an employee email account. The account was immediately secured to prevent further unauthorized access and a forensic investigation was conducted to determine the nature and scope of the breach.

The investigation determined on October 25, 2021, that the email account had been accessed by an unauthorized individual between May 11, 2021, and August 2, 2021, as a result of the employee responding to a phishing email. A manual review of the emails and attachments confirmed they contained the following types of information:

Names, dates of birth, government identification numbers, Social Security numbers, financial account information, and medical information that potentially includes healthcare provider information, diagnostic and conditions information, treatment and medication information, medical identification number(s), and/or health insurance plan information. I.A.T.S.E Local ONE said it has found no evidence of misuse of any sensitive information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Following the breach, I.A.T.S.E Local ONE worked with its IT managed services provider and has implemented further security measures to harden email security to prevent further data breaches.

Loyola University Medical Center

Loyola University Medical Center (LUMC) has notified 16,934 patients that some of their PHI has been exposed and potentially accessed by an unauthorized individual who gained access to an employee email account. LUMC detected suspicious activity in the email account on October 31, 2021. The account was immediately secured, and an investigation was launched to determine the nature and scope of the attack.

The investigation revealed the account was accessed between October 29, 2021, and October 31, 2021, but it was not possible to determine if any emails or attachments had been viewed or acquired. No evidence has been found of any actual or attempted misuse of patient information.

A review of the emails in the account confirmed they contained the following types of patient information: Full name, address, telephone, date of birth, email, and medical information such as medical record number, conditions, medications, test results, medical facility, type of service and some health plan information.

While there is believed to be a low risk of identity theft and fraud, affected individuals have been provided with a complimentary membership to a credit monitoring and dark web monitoring service for 12 months.

LUMC said it has made significant investments in cybersecurity and has a strong security program that includes a dedicated cybersecurity team, 24/7/365 monitoring, and testing of security controls.

Signature Healthcare Brockton Hospital

Massachusetts-based Signature Healthcare has recently announced a data breach that has affected 9,798 Brockton Hospital patients. Suspicious activity was detected in its email environment on November 4, 2021, with the investigation confirming the email accounts of several clinicians had been accessed by unauthorized individuals from October 16, 2021, to November 4, 2021.

A leading forensic security firm was engaged to investigate the breach and confirm its computer systems and network were secure. Signature Healthcare said the email accounts did not appear to have been accessed in order to obtain patient data and there has been no evidence of misuse of any protected health information; however, unauthorized PHI access could not be ruled out.

The compromised email accounts contained the following types of information: First and last names, sex, birthdates, dates of visits, test results, medical record numbers, diagnoses, and medical histories. Signature Healthcare is reviewing its technical controls and procedures and will take steps to improve security to prevent further breaches in the future.

Advent Health Partners

Advent Health Partners, a Nashville, TN-based provider of claims management services to hospital groups, discovered in early September 2021 that an unauthorized individual had gained access to certain employee email accounts. An investigation was launched to determine the extent and nature of the breach, and it was determined on December 8, 2021, that certain files in the compromised email accounts had potentially been accessed.

Advent Health Partners is provided with limited data sets for routine operational purposes related to communications with health insurance companies, and some of that information was stored in email attachments.

Notifications have now been sent to all affected individuals and free access to credit monitoring and identity theft protection services is being provided. Advent Health Partners said it has reviewed and updated its security policies and has implemented additional safeguards to improve email security.

The HHS’ Office for Civil Rights breach portal indicates 1,383 individuals have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.