Over 212,500 Patients Affected by 2020 Email Account Breach at Florida Digestive Health Specialists
The Bradenton, FL-based gastroenterology healthcare provider Florida Digestive Health Specialists (FDHS) has recently started notifying more than 212,000 patients that some of their protected health information has been exposed in a December 2020 cyberattack.
Notification letters were sent to affected individuals on December 27, 2021, by attorney Jason M. Schwent of Clark Hill. The letters explain that suspicious activity was detected in an employee email account on December 16, 2020, which involved an unauthorized individual sending emails from that account.
This was a business email compromise attack where access to an internal email account is gained, usually via a phishing email, and the account is then used to impersonate an employee to convince other individuals to make fraudulent wire transfers. In this case, on December 21, 2020, FDHS determined a fraudulent transfer of funds had been made to an unknown bank account.
FDHS engaged the services of Clark Hill and a third-party cybersecurity firm to investigate the cyberattack. The investigation confirmed a limited number of employee email accounts had been accessed by unauthorized individuals. Those accounts were described as “voluminous” and contained the personal and protected health information of 212,509 patients. In attacks such as this, the aim of the attack is to obtain payments through fraudulent wire transfers rather than to obtain patient data; however, data theft could not be ruled out.
The amount of data present in the compromised email accounts was provided as a reason for a 12-month delay in issuing notification letters to affected patients. FDHS said the review of the email accounts was time-consuming and only concluded on November 19, 2021.
In response to the breach, several changes were made to its IT systems to improve security. Those measures include a password reset across its IT environment, implementation of multifactor authentication, strengthening password protocols, and reconfiguring its firewall.
Affected individuals have been offered 12-months of complimentary credit monitoring and identity theft protection services.