HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 138K Individuals Exposed in 3 Email Security Incidents

Hackers have gained access to email accounts containing protected health information (PHI) at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California.

Injured Workers Pharmacy

Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021.

Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters started to be sent to affected individuals on February 3, 2022.

Injured Workers Pharmacy said it has augmented its email security measures and is offering affected certain individuals complimentary credit monitoring and identity restoration services.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has discovered an employee email account containing the protected health information of 61,595 patients has been accessed by an unauthorized individual. The forensic investigation revealed the email account was accessed between February 24, 2021, and February 26, 2021.

A comprehensive review of emails and attachments was conducted, and the process was completed on November 22, 2021. iRise said the following types of information may have been viewed or acquired in the attack: Names, dates of birth, diagnoses, clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and/or usernames and passwords exposed.

Affected individuals have been notified and a 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security numbers were exposed. iRise has reviewed its email security measures and has implemented additional technical safeguards, including multifactor authentication. Additional training on email security has also been provided to the workforce.

Volunteers of America Southwest California

The San Diego, CA-based social service organization Volunteers of America Southwest California recently announced it was the victim of a phishing attack. An employee received an email that appeared to be a voicemail message, that included a link to a website that required login credentials to be entered to listen to the message. The login credentials were captured and used to access the employee’s email account.

The email account was accessed by the attackers on or around November 16, 2021, and the intrusion was detected and remediated on November 16. A review of the email account revealed it contained the first and last names of clients in the vast majority of cases, with some of the records also including individuals’ COVID-19 vaccination status.

The breach appears to have been fully remediated and third-party experts have been engaged to validate the containment measures. Email security has been enhanced in response to the breach.

The breach was reported to the HHS’ Office for Civil Rights as affecting 1,300 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.