HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack.

Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement.

An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft.

A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names, maiden name, marital status, date of birth, address, email address, telephone number, Social Security number, Medical record number, driver’s license number, medical device number, passport number, bank account number, health insurance account number, full face photograph, admission date, discharge date, and treatment date.

Steps have been taken to improve email security and employees have been provided with further security awareness training to help them identify phishing emails.

University of Pittsburg Medical Center Altoona Phishing Attack Reported

UPMC Altoona has discovered an unauthorized individual has gained access to the email account of one of its physicians and potentially viewed or obtained the PHI of some of its patients. The phishing attack was detected on February 13, 2020, shortly after the email account was compromised.

The attacker used the account to send further phishing emails. The investigation did not uncover evidence of data theft, but unauthorized PHI access could not be ruled out.

A forensic investigation revealed the email account contained patient information such as demographic information and limited clinical information. No Social Security numbers, financial information, or health insurance details were exposed.

Notification letters were sent to affected individuals on April 10, 2020. The Office for Civil Rights breach portal indicates up to 13,911 patients have been affected by the phishing attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.