PHI of 40,000 Individuals Exposed in Email Account Breaches

Three healthcare providers have recently reported security breaches involving the email accounts of employees, resulting in the exposure and potential theft of the protected health information of more than 40,000 individuals.

Saltzer Health

Saltzer Health in Idaho identified a breach of its email environment on June 1, 2021. Steps were promptly taken to prevent further unauthorized access, with the subsequent investigation confirming an unauthorized individual had accessed the account between May 25, 2021, and June 1, 2021. It was not possible to tell if any patient information was accessed or exfiltrated, but a comprehensive review of the account by third-party specialists confirmed it contained the protected health information of 15,650 patients.

The review was completed on September 21, 2021, and confirmed the email account contained the following types of information: Names, contact information, medical record numbers, patient identification numbers, driver’s license/state identification numbers, medical histories, diagnoses, treatment information, physician information, prescription information, health insurance information, and a limited number of Social Security numbers and financial account information. All affected individuals have now been notified by mail.

Boulder Neurosurgical and Spine Associates

Boulder Neurosurgical and Spine Associates in Colorado detected a breach of an employee email account on September 21, 2021. The email account was immediately secured, and third-party cybersecurity experts were engaged to assist with the investigation.

A comprehensive review of emails and attachments in the breached account confirmed protected health information had been exposed, although it was not possible to tell if any PHI had been viewed or obtained by unauthorized individuals. The compromised PHI included names, dates of birth, and medical records, but no addresses or Social Security numbers were exposed. The breach has been reported to the HHS’ Office for Civil Rights as affecting 21,450 individuals.

Region IV Area Agency on Aging

Region IV Area Agency on Aging in Michigan (AAA4) discovered on or around September 30, 2021, that an unauthorized individual had gained access to the email account of one of its employees as a result of a response to a phishing email. The purpose of the cyberattack was to try to get the employee’s paychecks diverted.

While this appears to be the sole aim of the attacker, the email account contained the PHI of 3,171 individuals and included names, addresses, dates of birth, social security numbers, insurance information, phone numbers, and medical conditions.

AAA4 said it found no evidence to suggest any PHI had been obtained or misused, but all affected individuals have been advised to exercise caution and monitor their accounts and explanation of benefits statements for suspicious activity. AAA4 said it has taken steps to prevent further phishing attacks, including providing additional training to the workforce.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.