HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI Exposed in Three Recent Email Security Incidents

Three email system breaches have been reported in the past few days that have resulted in unauthorized individuals gaining access to email accounts containing protected health information.

Navicent Health Notifies Patients About July 2018 Phishing Attack

Macon, GA-based Navicent Health is notifying certain patients that some of their protected health information has potentially been compromised as a result of an cyberattack on its email system.

Upon discovery of the breach in July 2018, law enforcement was notified and a leading computer forensics firm was hired to investigate the breach.

Navicent Health explained in a substitute breach notice on its website that it only became clear on January 24 that email accounts containing patient information had been breached. No reason was given as to why it took 6 months from the discovery of the breach to determine that patients’ PHI had been compromised.

The types of information potentially accessed by the attackers included names, addresses, dates of birth, and some medical information such as appointment dates and billing information. Some individuals also had their Social Security numbers exposed. Navicent Health was unable to determine whether any patients’ PHI was viewed or downloaded by the attackers.

All patients affected by the incident have now been notified and complimentary identity theft protection services have been offered to all individuals’ whose Social Security number was potentially compromised.

Navicent Health has since been working with multiple cybersecurity firms to improve security and prevent further breaches.

The OCR breach portal indicates 278,016 patients were affected by the breach.

Duluth Human Development Center Discovers Email Account Compromise

When performing a routine analysis of email logs on January 25, the Human Development Center (HDC) in Duluth, MN, discovered the email account of an employee was accessed by an unauthorized individual on two occasions on January 16 and 18, 2019.

An analysis of the compromised account revealed it contained protected health information of clients, including names, dates of birth, internal HDC client numbers, descriptions of the HDC services received, and procedure codes. Clients affected by the breach had received services from HDC between 2011 and 2018.

The probability of information being accessed and misused is believed to be low. Affected individuals have now been notified of the breach.

The OCR breach portal indicates 1,200 patients were affected by the breach.

Frederick Regional Health System Email Breach Impacts Hospice Patients

Frederick Regional Health System in Frederick, MD, has discovered the protected health information of certain hospice patients has potentially been accessed by unauthorized individuals as a result of a phishing attack.

The phishing attack was discovered on January 21, 2019 and unauthorized access to the account was promptly terminated. An analysis of the account revealed emails and attachments contained information such as names, health insurance information, type of health insurance and, for some individuals, Social Security numbers.  Patients affected by the breach had received hospice services from Frederick Regional Health System between June 2017 and January 2019.

No evidence of misuse of PHI has been uncovered but, as a precaution, Frederick Regional Health System is offering eligible patients complimentary credit monitoring and identity theft protection services for 12 months. Security has since been enhanced and further email security training has been provided to employees.

The HHS’ Office for Civil Rights breach portal shows 760 Frederick Memorial Hospital patients were affected by the breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.