HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack on Business Associate Exposes Forrest General Hospital Patients’ PHI

The management consulting company HORNE LLP, a business associate of Forrest Health’s Forrest General Hospital, is notifying certain hospital patients that some of their protected health information (PHI) has potentially been obtained by a third party after access was gained to the email account of one of its employees.

HORNE provides certain Medicare reimbursement services to Forrest General Hospital and as such, requires access to patients’ PHI.

HORNE became aware of an email account breach on November 1, 2017 when it discovered the email account of an employee was being used to send phishing emails. The discovery prompted the shut down of the email account and an investigation into a potential breach was launched. That investigation revealed an unauthorized individual had gained access to the employee’s email account the previous day as a result of the employee responding to a phishing email.

The phishing attack was investigated by a third-party investigator to determine the nature and extent of the breach and whether the PHI of any patients had been exposed. The investigation confirmed the attack was limited to a single email account. An analysis of the emails in the account revealed some Forrest General Hospital patients’ PHI could potentially have been accessed.

According to the breach notice obtained by databreaches.net, “certain emails within the employee’s email account were subject to unauthorized access.” On November 27, HORNE determined that some of those emails contained attachments that included PHI including names, birth dates, Medicaid ID numbers, patient account numbers, service dates, and Social Security numbers.

While emails could potentially have been opened and the attachments acquired by the attacker, no evidence was uncovered to suggest that was the case. However, it was also not possible to rule out data theft with a high degree of certainty.

Consequently, in accordance with HIPAA Rules, affected patients are being notified of the breach, albeit somewhat late. HORNE says in its breach notice that the letters are being sent beginning February 1, 2018, when the email account breach was discovered on November 1 and PHI was confirmed to have been exposed on November 27.

The breach notices are being sent by HORNE on behalf of Forrest General Hospital. All patients impacted have been offered complimentary credit monitoring and identity theft restoration services through Experian for 12 months as a precaution against misuse of their data.

HORNE is implementing additional safeguards and security measures to enhance the security of its systems and better protect the privacy of any patients whose PHI has been provided to the firm.

According to the breach summary on the Department of Health and Human Services’ Office for Civil Rights breach portal, 16,70 patients of Forrest Health Hospital have been impacted by the phishing attack.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.