HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack on Home Medical Equipment Provider Affects 153,000 Individuals

The protected health information of 153,013 individuals has potentially been compromised in an email security breach at HME Specialists LLC, dba Home Medical Equipment Holdco.

HME Specialists discovered suspicious activity in its email system and immediately secured all affected accounts and engaged a specialist cybersecurity company to conduct a forensic investigation to determine the extent and nature of the breach. The cybersecurity firm confirmed on March 11, 2021 that certain compromised email accounts contained protected health information and that the accounts had been accessed by unauthorized individuals between June 24 and July 14, 2020.

The accounts contained information such as names, dates of birth, diagnosis and/or other clinical information, along with limited Social Security numbers, driver’s license numbers, credit card numbers, account information and usernames and passwords. No specific evidence was found to suggest any information in the compromised accounts was acquired by the attackers or has been misused.

Affected individuals for whom a current address was held have been notified by mail and advised to monitor their financial accounts and explanation of benefits statements for signs of fraudulent activity. Complimentary credit monitoring services have been offered to all individuals whose Social Security numbers were exposed.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Additional technical safeguards have now been implemented for employee email accounts including multifactor authentication, and further training has been provided to the workforce to raise awareness of the risks of malicious emails.

Sapphire Community Health Suffers Ransomware Attack

Sapphire Community Health in Hamilton, MT has experienced a ransomware attack in which the protected health information of 4,000 patients was potentially compromised. The attack was discovered on February 18, 2021 when staff were prevented from accessing files. Information systems were shut down to limit the damage caused and appropriate scanning and restoration steps were taken.

The medical record system was unaffected, but some of the encrypted files contained patient data such as names, addresses, and dates of birth and, for a limited number of individuals, financial account information and/or Social Security numbers.

An investigation into the attack found no evidence to suggest any patient information was exfiltrated by the attackers prior to the use of ransomware. All affected individuals have now been notified and additional security safeguards have been implemented to prevent further attacks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.