The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Posted By on Oct 1, 2020

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information.

It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts.

A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification letters was due to the time-consuming manual document review process.

The phishing attack prompted Oaklawn Hospital to review its cybersecurity protections and significant measures have now been taken to improve technical security safeguards, including the use of multi-factor authentication software. Employees have also been provided with additional security awareness training.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

All patients affected by the breach have been advised to monitor their explanation of benefits statements for any transactions related to care or services that they have not received and individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

While unauthorized email account access was confirmed, the investigation did not uncover any evidence to suggest patient information was accessed or stolen by the attackers and no reports have been received indicating any misuse of patient data.

Mono County Discovers Breach of COVID-19 Statistics Database

Mono County in California has discovered an unauthorized individual gained access to its online COVID-19 statistics database between April 2 and July 24, 2020. The database included the protected health information of individuals who had been tested for COVID-19 prior to July 24, 2020.

The database contained individuals’ date of birth, gender, race, geographic region of residence in Mono County, and the result of their COVID-19 test. Names, addresses, and other identifying information were not included in the database. The database was secured on July 28, 2020 and external access is no longer possible.

The breach report submitted to the HHS’ Office for Civil Rights shows the PHI of 2,850 individuals was stored in the database.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist