Multiple Email Accounts Compromised at Primary Health Care

Primary Health Care Inc., a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, has discovered malicious actors have gained access to the email accounts of four employees and have potentially viewed or obtained patients’ protected health information.

Primary Health Care issued a press release and uploaded a substitute breach notice to its website on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was detected the following day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights. No explanation is provided as to why the breach took a year to report.

Primary Health Care responded quickly to the breach and terminated access to the compromised email accounts and hired a third-party computer forensics expert to conduct an investigation into the attack. The investigation revealed access to four email accounts and their associated Google Drives was gained by the attacker(s), although it was not possible to tell whether any emails were opened and if any protected health information was viewed.

An analysis of the email accounts revealed they contained information such as patients’ names along with driver’s license numbers, Social Security numbers, diagnoses, treatment information, medical histories, health insurance/payor information, facilities and providers visited, financial account numbers, credit/debit card numbers, dates of service, and in some cases, Medicaid numbers.

No evidence has been found to suggest any information has been misused, although out of an abundance of caution, affected individuals have been offered 12 months of identity theft protection services through AllClear without charge.

Primary Health Care is in the process of implementing additional security measures to enhance the privacy and security of its information systems to prevent further breaches of this nature.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.