HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack.

The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours.

A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused.

Steps have now been taken to prevent similar breaches in the future including enhancing email security measures to block phishing emails, implementing multi-factor authentication for email accounts, enhancing security awareness training for employees, and implementing new email retention policies.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Overlake started mailing notification letters to affected patients on February 4, 2019. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack Impacts 1,655 Patients

The California physical therapy provider, VibrantCare Rehabilitation, has discovered an employee email account has been compromised following a response to a phishing email.

Unusual activity was detected in the email account and third-party computer specialists were called in to investigate a potential breach. The investigation revealed the email account was accessed by an unauthorized individual between August 20, 2019 and August 27, 2019. A painstaking analysis of the email account confirmed on December 11, 2019 that it contained the protected health information of 1,655 patients.

The exposed information varied from patient to patient. In addition to first and last names, the exposed information included demographic information, financial account information, credit or debit card information, Social Security numbers, driver’s license numbers, government or state identification numbers, military identification numbers, passport numbers, alien registration numbers, student identification numbers, medical and treatment information, health insurance information, Medicare or Medicaid numbers, patient numbers, medical record numbers, and prescription information.

No evidence of data access or data theft was found and no reports have been received to suggest patient information has been misused; however, as a precaution, affected patients have been advised to monitor their accounts, explanations of benefits, and credit reports for suspicious activity.

VibrantCare Rehabilitation is now reviewing and enhancing its existing policies to prevent further phishing attacks in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.