PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center

Share this article on:

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020.

FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020.

The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised. The PHI of 4,120 patients was exposed.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers and/or drivers’ license numbers were exposed.

FHN has provided further training to its employees to help them identify and avoid suspicious emails and steps have been taken to strengthen email security, including the use of 2-factor authentication.

3,127 Patients Impacted by Email Security Incident at Elkins Rehabilitation & Care Center

In February 2019, Elkins Rehabilitation & Care Center (ERCC) in West Virginia discovered unauthorized individuals had gained access to the email accounts of some of its employees. An internal investigation by the IT security team revealed several computer systems had been infected with malware between February 4, 2019 and February 7, 2019. The IT security team worked fast to identify and remove the malware, and a full password reset was performed on all email accounts. When ERCC learned that the malware was capable of exfiltrating emails, an e-discovery expert was engaged to review all emails in the account to determine the information that was potentially stolen in the attack.

The review of the accounts was completed on July 1, 2020 and notification letters have now been sent to all affected individuals. The breached accounts contained personal and protected health information of current and former residents and employees such as first and last names, limited protected health information, Social Security numbers, and/or driver’s license numbers. Complimentary identity theft restoration and credit monitoring services have been offered to affected individuals.

Steps have been taken to prevent further breaches in the future, including the replacement of hard drives on computers infected with the malware and the installation of new antivirus and antimalware solutions on all computers. Additional security awareness training has also been provided to its employees.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On