Hackers have gained access to email accounts containing protected health information (PHI) at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute, and Volunteers of America Southwest California.
Injured Workers Pharmacy
Andover, MA-based Injured Workers Pharmacy has recently reported a data breach to the Maine Attorney General that was discovered on or around May 11, 2021, when suspicious activity was detected in an employee email account. The account was immediately secured and third-party computer forensics specialists were engaged to investigate the breach. The investigation revealed 7 email accounts had been compromised between January 16, 2021, and May 12, 2021.
Third-party data review specialists were engaged to check the emails and attachments in the compromised accounts, which confirmed they contained the protected health information of 75,771 individuals such as names, addresses, and Social Security numbers. After the review, Injured Workers Pharmacy validated the results, and that process was completed on or around December 14, 2021. Notification letters started to be sent to affected individuals on February 3, 2022.
Injured Workers Pharmacy said it has augmented its email security measures and is offering affected certain individuals complimentary credit monitoring and identity restoration services.
iRise Florida Spine and Joint Institute
The iRise Florida Spine and Joint Institute has discovered an employee email account containing the protected health information of 61,595 patients has been accessed by an unauthorized individual. The forensic investigation revealed the email account was accessed between February 24, 2021, and February 26, 2021.
A comprehensive review of emails and attachments was conducted, and the process was completed on November 22, 2021. iRise said the following types of information may have been viewed or acquired in the attack: Names, dates of birth, diagnoses, clinical treatment information, physician and/or hospital name, dates of service, and health insurance information. A limited number of individuals also had their Social Security numbers, driver’s license numbers, financial account information, credit card numbers, and/or usernames and passwords exposed.
Affected individuals have been notified and a 12-month complimentary membership to a credit monitoring service has been offered to individuals whose Social Security numbers were exposed. iRise has reviewed its email security measures and has implemented additional technical safeguards, including multifactor authentication. Additional training on email security has also been provided to the workforce.
Volunteers of America Southwest California
The San Diego, CA-based social service organization Volunteers of America Southwest California recently announced it was the victim of a phishing attack. An employee received an email that appeared to be a voicemail message, that included a link to a website that required login credentials to be entered to listen to the message. The login credentials were captured and used to access the employee’s email account.
The email account was accessed by the attackers on or around November 16, 2021, and the intrusion was detected and remediated on November 16. A review of the email account revealed it contained the first and last names of clients in the vast majority of cases, with some of the records also including individuals’ COVID-19 vaccination status.
The breach appears to have been fully remediated and third-party experts have been engaged to validate the containment measures. Email security has been enhanced in response to the breach.
The breach was reported to the HHS’ Office for Civil Rights as affecting 1,300 individuals.