Share this article on:
MedSpring Urgent Care, a network of urgent care clinics in Atlanta, Chicago, Austin, Dallas, Fort Worth, and Houston, has discovered an unauthorized individual has gained access to an email account as a result of an employee being duped by a phishing email.
The email account was compromised on May 8, 2018 but the security breach was not detected until May 17. Upon discovery of the breach, the email account was secured to prevent further unauthorized access and a leading cybersecurity forensics firm was contracted to conduct an investigation into the breach and assist with the breach response.
MedSpring discovered on May 22, 2018 that the attacker potentially gained access to the protected health information of patients through the emails and email attachments. The breach was limited to a single email account and no other systems were compromised.
A full review of all messages in the account was conducted to determine which patients had been affected and the types of information that had been exposed. MedSpring says the breach was limited to patients who had previously visited its urgent care clinics in Illinois.
The email account contained information such as names, medical record numbers, account numbers, dates of services, and other information related to the medical services provided to patients. The investigation did not uncover any evidence to suggest that emails in the account were viewed and MedSpring has not been informed of any cases of misuse of patient information to date.
All patients potentially affected by the phishing attack have now been notified by mail and 12 months of complimentary credit monitoring, identity protection and fraud resolution services have been provided through Experian.
As is required under HIPAA Rules, the Department of Health and Human Services’ Office for Civil Rights has been notified about the breach. The breach report indicates 13,034 patients have been affected.