PHI Exposed in Email Incidents at Discovery Practice Management, One Medical, and Peoples Community Health Clinic

Discovery Practice Management Notifies Individuals About June 2020 Email Incident

Discovery Practice Management, a provider of administrative support services to Authentic Recovery Center and Cliffside Malibu facilities in California, has announced that unauthorized individuals gained access to the email environment it maintains for those facilities.

Suspicious email activity was detected in the email environment on July 31, 2020. An investigation was launched which revealed there had been unauthorized logins to staff email accounts at both facilities between June 22, 2020 and June 26, 2020.

The accounts were immediately secured and a third-party cybersecurity firm was engaged to investigate the breach but it was not possible to confirm whether protected health information in the accounts was viewed or exfiltrated.

Protected health information potentially compromised included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license number, and clinical information, such as diagnosis, treatment information, and prescription information.

The company said in its breach notification letter to the California Attorney General that it worked with both practices to confirm the contact information for the 13,611 individuals whose information was potentially compromised. That process was completed on June 2, 2021. Affected individuals have now been notified and have been offered a complimentary one-year membership to credit monitoring and identity theft protection services.

Discovery Practice Management does not believe the attack was conducted in order to steal patient information, rather it is thought to have been part of an attack to divert invoice payments. Steps have since been taken to improve email security and training has been reinforced with the facilities’ staff on how to identify and avoid suspicious emails.

Email Addresses of Hundreds of One Medical Patients Exposed in Error

An email error has exposed the email addresses of hundreds of One Medical patients. One Medical sent emails to patients asking them to verify their email addresses. The email addresses of patients were not added to the ‘BCC’ field of the email and instead were put in the ‘To’ field, which meant they could be viewed by all individuals who were sent the email.

Only email addresses were exposed, although the emails did identify the owner of an email address as a One Medical patient. Several of the individuals who received the email took to Twitter to complain. One individual said the email that was received had 981 email addresses visible.

One Medical issued a statement on Twitter in response to the error. “We are aware emails were sent to some of our members that exposed recipient email addresses. We apologize if this has caused you concern, but please rest assured that we have investigated the root cause of this incident and confirmed that this was not caused by a security breach of our systems. We will take all appropriate actions to prevent this from happening again.”

Peoples Community Health Center Reports Email Account Breach

Peoples Community Health Center in Waterloo, IA has discovered the email account of one of its employees has been accessed by an unauthorized individual. Suspicious email activity was detected in the email account on March 22, 2021 and third-party cybersecurity experts were engaged to determine the nature and scope of the breach.

The investigation confirmed that a single email account had been accessed by an unauthorized individual between March 18, 2021 and March 22, 2021.  A review of the emails and attachments in the account was completed on May 24, 2021 and determined the following types of information had potentially been compromised:

Names, addresses, Social Security numbers, dates of birth, driver’s license numbers, state identification numbers, medical diagnoses, medical treatment information, health insurance information, payment card numbers or card CVV/expiration date.

Affected individuals are being notified by mail and steps have been taken to prevent similar breaches in the future, including reviewing and enhancing policies and procedures and providing further workforce training.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.