HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New York Nursing Center and Phoenix Children’s Hospital Affected by Phishing Attacks

Village Center for Care dba VillageCare Rehabilitative and Nursing Center (VRNC) and Village Senior Services Corporation dba VillageCareMAX (VCMAX) have fallen victim to a business email compromise (BEC) attack. BEC attacks involve the impersonation of an executive, either using the executive’s genuine email account compromised in a previous attack or by spoofing the executive’s email address.

An unauthorized individual, pretending to be member of the executive team, requested sensitive information on VRNC patients and VCMAX members. Believing the request to be legitimate, the employee responded and provided the information as requested. VCMAX and VRNC were alerted to a potential BEC attack on or around December 30, 2019.

The investigation confirmed the request was not genuine and sensitive information on VRNC patients and VCMAX members had been impermissibly disclosed. The information sent via email included the names and Medicaid ID numbers of 2,645 VCMAX members and first and last names, dates of birth, insurance provider names, and Insurance ID numbers of 674 VRNC patients.

There have been no reports of misuse of personal information, but all affected individuals have been advised to be vigilant and check accounts, credit reports, and explanation of benefits statements for signs of fraudulent activity. VCMAX and VRNC are reviewing and enhancing their policies and procedures to prevent further attacks of this nature in the future.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

1,860 Individuals Impacted by Phishing Attack on Phoenix Children’s Hospital

The email accounts of seven employees of Phoenix Children’s Hospital have been compromised as a result of a targeted phishing campaign between September 5 and September 20, 2019.

Upon discovery of the breach, a leading computer forensic firm was engaged to investigate the extent of the breach. The hospital learned on November 15, 2019 that the compromised accounts contained the protected health information of 1,860 current and former patients which may have been viewed or obtained by the attackers.

The accounts were found to contain patient names, personal information and, for some individuals, limited health information and Social Security numbers.

On January 14, 2020, Phoenix Children’s Hospital started notifying affected patients by mail. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number was potentially compromised.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.