PHI of 26,861 Patients Potentially Compromised in Oaklawn Hospital Phishing Attack

Oaklawn Hospital in Marshall, MI, has started notifying 26,861 patients about a potential breach of their personal and health information.

It is unclear when the breach was detected, but the forensic investigation revealed on July 28, 2020 that the email accounts of certain employees had been accessed by unauthorized third parties between April 14 and April 15, 2020. Access to the accounts was gained after employees responded to phishing emails and disclosed their email credentials. The breach was detected when suspicious emails were found in several employee email accounts.

A comprehensive manual document review was conducted to identify any protected health information stored in the compromised email accounts. The compromised accounts were discovered to contain patient names along with dates of birth, medical information, and health insurance information. The Social Security numbers, driver’s license numbers, financial account information, and online login information of “a very limited” number of patients were also potentially compromised. The delay in issuing notification letters was due to the time-consuming manual document review process.

The phishing attack prompted Oaklawn Hospital to review its cybersecurity protections and significant measures have now been taken to improve technical security safeguards, including the use of multi-factor authentication software. Employees have also been provided with additional security awareness training.

All patients affected by the breach have been advised to monitor their explanation of benefits statements for any transactions related to care or services that they have not received and individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services.

While unauthorized email account access was confirmed, the investigation did not uncover any evidence to suggest patient information was accessed or stolen by the attackers and no reports have been received indicating any misuse of patient data.

Mono County Discovers Breach of COVID-19 Statistics Database

Mono County in California has discovered an unauthorized individual gained access to its online COVID-19 statistics database between April 2 and July 24, 2020. The database included the protected health information of individuals who had been tested for COVID-19 prior to July 24, 2020.

The database contained individuals’ date of birth, gender, race, geographic region of residence in Mono County, and the result of their COVID-19 test. Names, addresses, and other identifying information were not included in the database. The database was secured on July 28, 2020 and external access is no longer possible.

The breach report submitted to the HHS’ Office for Civil Rights shows the PHI of 2,850 individuals was stored in the database.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.