PHI of 10,893 Summa Health Patients Potentially Compromised in Phishing Attack
Akron, Ohio-based Summa Health has discovered an unauthorized individual has gained access to four employee email accounts containing patients’ protected health information (PHI).
Summa Health became aware of the breach on May 1, 2019 and launched an investigation that revealed 2 email accounts had been breached in August 2018, and a further two accounts between March 11, 2019 and March 29, 2019.
All four accounts were immediately secured and a third-party computer forensics firm was hired to determine whether any patient information had been accessed or stolen. The firm found no evidence of data theft or PHI access, although it was not possible to rule out the possibility that patient information was compromised in the breach.
An analysis of the compromised accounts revealed they contained the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment information.
In total, 10,893 patients were affected. A small subset of those patients also had their Social Security numbers and/or driver’s license numbers exposed.
On June 28, 2019, Summa Health submitted two separate breach reports to OCR for the August and March attacks, one affecting 7989 individuals and the other affecting 2,904 individuals.
Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number or driver’s license number was exposed.
Summa Health will be reinforcing employee training on privacy and security and additional security measures will be implemented to improve email security.
Community Physicians Group Phishing Attack Impacts 5,400 Patients
Siloam Springs, AR-based Community Physicians Group is alerting 5,400 patients that their PHI has been exposed as a result of a phishing attack.
The breach was detected on April 24, 2019 when suspicious activity was identified in an email account. An investigation revealed malicious software had been installed on February 19, 2019 which allowed access to be gained to the email account.
The email account contained PHI in email attachments. The exposed information was limited to names, medical record numbers, dates of service, and a brief description of the nature of the visit. No Social security numbers, financial information, or other highly sensitive information were exposed.
The malware has now been removed and security has been improved with a new cloud-based anti- malware protection system.
Addison County Home Health & Hospice Email Breach Reported
758 patients of Addison County Home Health & Hospice in Vermont are being notified that some of their PHI has been exposed as a result of a recent email security breach.
The breach was discovered on April 26, 2019 and the investigation revealed unauthorized access to the account was first gained on February 19, 2019.
An analysis of the emails in the account revealed they contained names, clinical information, and for certain patients, medical record numbers and Social Security numbers.
A free 12-month membership to credit monitoring and identity protection services has been offered to individuals whose Social Security number was exposed.
The hospice will be augmenting its technical security controls and further training will be provided to employees to help them identify phishing emails.