HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack on Presbyterian Healthcare Services Exposed PHI of 183,000 Patients

The Albuquerque, NM-based not-for-profit health system, Presbyterian Healthcare Services, has experienced a phishing attack that saw the email accounts of several employees subjected to unauthorized access.

The phishing attack was discovered by Presbyterian Healthcare Services on June 6, 2019. The breach investigation revealed the email accounts were compromised a month previously, on or around May 9, 2019.

Upon discovery of the breach, all affected email accounts were secured to prevent further access. An analysis of the compromised email accounts revealed they contained the protected health information (PHI) of 183,370 individuals. Compromised PHI was limited to names, dates of birth, Social Security numbers, and clinical and health plan information. Affected individuals have been advised to check their statements from their providers and health plans for signs of misuse of their personal information.

Presbyterian Healthcare Services has implemented additional safeguards to protect its email system and all employees will be required to undergo annual cybersecurity training. Employees will also be sent regular reminders about safeguarding PHI and avoiding phishing scams.

Lost Thumb Drive Contained PHI of 27,000 Renown Health Patients

27,004 patients of Reno, NV-based Renown Health are being notified that some of their protected health information was saved on an unencrypted thumb drive that has been declared lost.

The device contained information such as patient names, diagnoses, medical record numbers, clinical information, dates of admission, and physician’s names. The breach was limited to patients who had received inpatient services at Renown South Meadows Medical Center between January 1, 2012 and June 14, 2019.

The drive is believed to have been lost on June 30, 2019. The employee who reported the device missing was questioned, and a thorough search was conducted, but the portable storage device could not be located.

Renown Health is reviewing its policies concerning the use of portable storage devices and will be reeducating its employees on safeguarding PHI.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.