PHI Exposed in Phishing Attacks on Healthcare Resource Group and Confido

The pharmacy benefits consulting firm Confido has started notifying 3,600 of its clients’ employees, members, and their dependents, that some of their personal information has potentially been accessed by an unauthorized individual who gained access to an employee’s email account.

The email account breach was detected on December 12, 2020 and an investigation was launched to determine the scale and scope of the breach. Assisted by a third-party security firm, Confido determined on January 17, 2020 that an unauthorized individual had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be ruled out.

A comprehensive review of the email account revealed it contained names, dates of birth, health insurance information, Social Security numbers, prescription information, treatment information, and clinical information such as diagnoses and provider names.

Individuals affected by the breach were notified on February 10, 2020. Complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed.

The breach has prompted Confido to provide further security awareness training to its employees and additional procedures have been implemented to strengthen email security.

Healthcare Resource Group Phishing Attack Impacts Barlow Respiratory Hospital Patients

Healthcare Resource Group, a provider of billing services to Barlow Respiratory Hospital in Los Angeles, CA, discovered that an employee’s email account was accessed by an unauthorized individual. An investigation was conducted which revealed the email account was accessed between November 4, 2019 and November 30, 2019.

An analysis of the email account revealed emails and attachments contained a limited amount of protected health information of current and former Barlow Respiratory Hospital patients.

A third-party firm was engaged to review the account to determine what types of information had ben compromised. The review was completed on February 27, 2020 and revealed patient names had been exposed along with one or more of the following data elements: Date of birth, Social Security number, driver’s license number, medical record number, patient account number, health insurance information, treatment information, and medical billing or claims information.

Healthcare Resource Group sent notifications to affected patients on behalf of Barlow Respiratory Hospital on April 7, 2020. One year’s membership to credit monitoring and identity theft restoration services has been offered to affected patients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.