HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Magnolia Health Victim of Spoofed Email Scam

Magnolia Health Corporation is the latest healthcare provider to report a data breach caused by an employee responding to a spoofed email, which appeared to have been sent by the CEO.

The data breach affects employees of Magnolia Health Corporation as well as those employed at facilities managed by MHC subsidiaries Kaweah Manor, Inc., Merritt Manor, Inc., Porterville Convalescent Inc., Twin Oaks Assisted Living, Inc., and Twin Oaks Rehabilitation and Nursing Center Inc.

No patients have reportedly been affected, although all active employees have had their personal information compromised. The exposed data include the full names of employees, their a0ddress, employee number, date of birth, gender, hire date, seniority date, Social Security number, salary and hourly rate, job title, department, and last date.

Employee Falls for Email Request for Employee Data


An employee responded to an email that appeared to have been sent by Magnolia Health CEO Kenny Moyle and sent a spreadsheet containing the details of active employees on February 3, 2015., as requested. However, a week later on February 10, Magnolia Health discovered that the employee had been scammed and the data were sent to an unidentified third party.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Exact details of how the scam played out have not been disclosed by Magnolia Health, although this type of scam typically involves the sending of a phishing an email from a domain very similar to that used by the targeted company.

Oftentimes a domain is registered that replaces a lowercase “L” with a number 1 or an i, or the domain has two letters transposed. The change can be difficult to spot, especially if the format of the sender’s email address is the same as that used by the company.

Attackers conduct research on their targets and find out the email address of a senior executive or CEO. They then create an email account on the spoofed domain using the same format. In some cases, the target is extensively researched and a tailored spear phishing email is crafted to maximize the probability of the individual responding.

The emails usually request bank transfers be made, login credentials supplied, or as was the case in this scam, the direct emailing of sensitive data.

Technical solutions can be employed to reduce the risk of data breaches such as this from occurring, although staff training is one of the main ways healthcare providers can lower risk. Employees must be instructed to exercise extreme caution when sending any data via email, and should treat any request for confidential data with suspicion. Whenever any request is made to send confidential data, login credentials, or make bank transfers, staff members should be instructed to take steps to verify the identity of the sender of the email.

Magnolia Health has responded quickly and has alerted all affected individuals to the security breach and has offered credit monitoring and identity theft protection services through Experian’s® ProtectMyID® Elite without charge. All employees have been urged to place a fraud alert on their credit files with one of the three main credit reference agencies.

The scam has been reported to law enforcement officers who are attempting to determine the identity of the third party in question. Additional controls are also being implemented by MHC to reduce the probability of unauthorized disclosures occurring in future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.