PHI of 109,000 Patients Potentially Compromised in Washington Phishing Attack

Share this article on:

Bellevue, WA-based Overlake Medical Center & Clinics is notifying 109,000 patients that some of their personal and protected health information has potentially been compromised as a result of a December 2019 phishing attack.

The phishing attack was detected on December 9, 2019 and a password reset was performed to prevent further unauthorized access. Overlake determined that one email account was compromised on December 6, 2019 and access remained possible until December 9 when the account was secured. Further email accounts were compromised on December 9, but access was only possible for a few hours.

A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake. No Social Security numbers or financial information was compromised. The investigation uncovered no evidence of data theft and no reports have been received to suggest patient data has been misused.

Steps have now been taken to prevent similar breaches in the future including enhancing email security measures to block phishing emails, implementing multi-factor authentication for email accounts, enhancing security awareness training for employees, and implementing new email retention policies.

Overlake started mailing notification letters to affected patients on February 4, 2019. The data breach was reported to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack Impacts 1,655 Patients

The California physical therapy provider, VibrantCare Rehabilitation, has discovered an employee email account has been compromised following a response to a phishing email.

Unusual activity was detected in the email account and third-party computer specialists were called in to investigate a potential breach. The investigation revealed the email account was accessed by an unauthorized individual between August 20, 2019 and August 27, 2019. A painstaking analysis of the email account confirmed on December 11, 2019 that it contained the protected health information of 1,655 patients.

The exposed information varied from patient to patient. In addition to first and last names, the exposed information included demographic information, financial account information, credit or debit card information, Social Security numbers, driver’s license numbers, government or state identification numbers, military identification numbers, passport numbers, alien registration numbers, student identification numbers, medical and treatment information, health insurance information, Medicare or Medicaid numbers, patient numbers, medical record numbers, and prescription information.

No evidence of data access or data theft was found and no reports have been received to suggest patient information has been misused; however, as a precaution, affected patients have been advised to monitor their accounts, explanations of benefits, and credit reports for suspicious activity.

VibrantCare Rehabilitation is now reviewing and enhancing its existing policies to prevent further phishing attacks in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On