HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 23,811 Palmetto Health Patients Exposed in Phishing Attack

Palmetto Health – Now Prisma Health – has experienced a phishing attack that has resulted in several email accounts being accessed by unauthorized individuals.

Emails were sent to Palmetto Health employees which contained a malicious hyperlink. When the link in the emails was clicked, employees were directed to a realistic-looking web page where they were required to enter their email credentials. Doing so disclosed those credentials to the attackers, who used them to gain access to the email accounts.

A third-party computer forensics firm was retained to conduct an investigation into the breach to determine the nature and extent of access and whether any patients’ protected health information had been accessed or obtained.

The forensics firm determined that the first of the email accounts were compromised in November 2018. The review process took some time to complete as emails had to be manually checked to determine whether they contained any protected health information. The review process was completed on February 19, 2019 and revealed the protected health information of 23,811 patients had been exposed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The exposed information was limited to names and information used by Palmetto Health when providing treatment or consultation. A small percentage of the emails also contained health insurance information, Social Security numbers, and/or financial information.

Palmetto Health believes the aim of the attack was to gain access to payroll information rather than to obtain patient health information. No evidence was uncovered to suggest any patient information was accessed or copied, but data theft could not be ruled out.

Complementary credit monitoring and identity theft protection services have been offered to all patients whose financial information has potentially been accessed.

Weslaco Regional Rehabilitation Hospital Patients Notified of Phishing Attack

Earnest Health has announced that certain patients who visited the Weslaco Regional Rehabilitation Hospital in Texas have had some of their protected health information exposed as a result of an October 2018 phishing attack.

The exposed information was limited to names, dates of birth, health insurance details, patient care information, driver’s license numbers, and Social Security numbers.

The hospital has notified all affected patients by mail and has offered complimentary credit monitoring and identity theft protection services to all patients whose driver’s license number or Social Security number was exposed.

Staff at the hospital are being provided with further training to help them identify potentially malicious emails.

The breach summary on the HHS’ Office for Civil Rights breach portal shows 1,434 patients were affected by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.