HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

PHI of More Than 100,000 Elara Caring Patients Potentially Compromised in Phishing Attack

Elara Caring, one the largest providers of home-based healthcare services in the United States, has suffered a phishing attack that has impacted more than 100,000 patients.

In mid-December, suspicious activity was identified in some employee email accounts. Prompt action was taken to secure the accounts to prevent further unauthorized access and a third-party security firm was engaged to investigate the breach.

The investigation confirmed that multiple employee email accounts had been accessed by an unauthorized individual, although no evidence was found to suggest any patient information in those accounts was viewed or obtained by the attackers. It was, however, not possible to rule out data theft.

A review of the compromised email accounts revealed they contained the PHI of 100,487 patients, including names, addresses, Social Security numbers, driver’s license numbers, Employer ID numbers, financial/bank account information, dates of birth, email addresses and passwords, insurance information and insurance account numbers, and passport numbers. Individuals affected by the breach have been offered complimentary credit monitoring and identity protection services.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Elara Caring has since taken steps to improve data security and has provided additional cybersecurity training to employees.

ProPath Email Accounts Accessed by an Unauthorized Individual

ProPath, the largest, nationwide, fully physician-owned pathology practice in the United States, has discovered an unauthorized individual has accessed two email accounts containing patient information.

The email accounts were discovered to have been accessed by an unauthorized individual between May 4, 2020 and September 14, 2020. ProPath learned on January 28, 2021 that the email accounts contained protected health information including names, dates of birth, test orders, diagnosis and/or clinical treatment information, medical procedure information, and physician name. A limited number of individuals also had their Social Security number, financial account information, driver’s license number, health insurance information, and/or passport number exposed.

Individuals whose Social Security number was compromised have been offered complimentary credit monitoring services. Employees have received further training to help them detect malicious emails and additional technical safeguards have now been implemented.

The HHS’ Office for Civil Rights breach portal shows 39, 213 individuals have been affected by the breach.

Cornerstone Care Email Account Breach Impacts 11,487 Patients

An email account containing the PHI of 11,487 patients of Cornerstone Care community health centers in Southwestern Pennsylvania and Northern West Virginia has been accessed by an unauthorized individual.

The email account breach was detected on June 1, 2020 and third-party security experts were engaged to assist with the investigation who confirmed the breach was limited to a single corporate email account. A review of the PHI in that account was completed on January 13, 2021.

The account contained names and addresses and, for certain individuals, date of birth. Social Security number, medical history, condition, treatment, diagnosis, and/or health insurance information. Individuals whose Social Security number was compromised have been offered complimentary credit monitoring and identity theft protection services.

Affected individuals were notified by mail on February 25, 2021. Cornerstone Care has since implemented multi-factor authentication on email accounts.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.