HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Exposed in Phishing Attacks on FHN and Elkins Rehabilitation & Care Center

The Freeport, IL-based healthcare system FHN is notifying certain patients that some of their protected health information has potentially been obtained by an unauthorized individual who gained access to the email accounts of several employees between February 12 and February 13, 2020.

FHN announced on April 20, 2020 that the investigation had confirmed that a breach occurred, but it took time to determine the information that may have been viewed or obtained. It was not possible to determine whether patient information contained in the accounts was viewed or obtained, but data access could not be ruled out. Affected individuals were notified on July 31, 2020.

The compromised accounts contained names, dates of birth, health insurance information, medical record numbers, patient account numbers, and limited treatment and/or clinical information, such as provider names, diagnoses, and medication information. A limited number of Social Security numbers and driver’s license numbers were also potentially compromised. The PHI of 4,120 patients was exposed.

Complimentary credit monitoring and identity protection services have been offered to individuals whose Social Security numbers and/or drivers’ license numbers were exposed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

FHN has provided further training to its employees to help them identify and avoid suspicious emails and steps have been taken to strengthen email security, including the use of 2-factor authentication.

3,127 Patients Impacted by Email Security Incident at Elkins Rehabilitation & Care Center

In February 2019, Elkins Rehabilitation & Care Center (ERCC) in West Virginia discovered unauthorized individuals had gained access to the email accounts of some of its employees. An internal investigation by the IT security team revealed several computer systems had been infected with malware between February 4, 2019 and February 7, 2019. The IT security team worked fast to identify and remove the malware, and a full password reset was performed on all email accounts. When ERCC learned that the malware was capable of exfiltrating emails, an e-discovery expert was engaged to review all emails in the account to determine the information that was potentially stolen in the attack.

The review of the accounts was completed on July 1, 2020 and notification letters have now been sent to all affected individuals. The breached accounts contained personal and protected health information of current and former residents and employees such as first and last names, limited protected health information, Social Security numbers, and/or driver’s license numbers. Complimentary identity theft restoration and credit monitoring services have been offered to affected individuals.

Steps have been taken to prevent further breaches in the future, including the replacement of hard drives on computers infected with the malware and the installation of new antivirus and antimalware solutions on all computers. Additional security awareness training has also been provided to its employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.