HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack on Hematology Oncology Associates Sees Multiple Email Accounts Breached

The email accounts of several employees of Medford, OR-based Hematology Oncology Associates. P.C. have been compromised as a result of responses to phishing emails. The phishing attack was detected on March 19, 2018, although the investigation revealed the first account was breached on December 18, 2018. Further accounts were compromised up until February 22, 2019.

Third-party computer forensics experts were retained to investigate the breach, but it was not possible to determine which, if any, emails and attachments had been opened by the attackers.

The breach investigation was concluded on April 20 and confirmed that some of the emails and attachments in the compromised accounts contained patients’ protected health information.

A password reset has been performed to prevent further unauthorized access and additional security awareness training will be provided to employees.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach has been reported to the HHS’ Office for Civil Rights and state attorneys general and affected individuals have been offered free membership to Experian’s IdentityWorks credit monitoring and identity theft protection services.

It is currently unclear how many people have been affected by the breach.

Former Penn Medicine Employee Accused of Accessing and Misusing Patient Information

A former medical assistant at Penn Medicine has been accused of accessing patient information without authorization and misusing the information of at least one patient.

The contract employee had been hired through a staffing agency and worked at Penn Medicine between February and April 2019. Penn Medicine learned on April 29, 2019 that the employee had accessed patient information without any legitimate work reason for doing so.

The types of information that could have been viewed included names, demographic information, clinical information and, for certain patients, Social Security numbers. In total, the former employee had accessed 900 patient records during the 3 months of employment.

Penn Medicine spokesperson Lauren Steinfeld issued a statement saying Penn Medicine is aware of one patient whose PHI had been misused, although the nature of that misuse was not disclosed.

All 900 patients have now been notified about the privacy breach. Penn Medicine is also reviewing its use of contractors and staffing agencies and will be taking steps to ensure all employees maintain high professional standards.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.