HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attack Impacts 135K Saint Alphonsus Health System and Saint Agnes Medical Center Patients

A phishing attack on Saint Alphonsus Health System in Boise, ID has resulted in the exposure of patient information and has also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus identified unusual activity in an employee’s email account on January 6, 2021. The account was immediately secured, and an investigation was conducted to determine the source and nature of the activity. Saint Alphonsus determined that the account had been accessed by an unauthorized individual on January 4, 2021, giving the individual access to the account and information contained therein for 2 days. The account was used to send phishing emails to other individuals in an attempt to obtain usernames and passwords.

The employee whose credentials were compromised assisted with certain business functions that required access to protected health information, including performing billing functions for the West Region of Trinity Health, which includes Fresno.

A review of all emails and attachments revealed the account contained the protected health information of certain patients. The PHI in the account varied from patient to patient and included full names in combination with one or more of the following data elements: Address, telephone, date of birth, email, medical record number, treatment information, and/or billing information. The account also contained a limited number of Social Security numbers and credit card numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

While unauthorized account access was confirmed, it was not possible to determine which emails, if any, had been accessed. At the time of issuing notifications, no evidence was found to indicate any patient information has been misused. Credit monitoring services are being offered to affected individuals and employees have received further training on email and cybersecurity to prevent similar breaches in the future.

When notifying patients about the breach, an error occurred with the mail merge. “We have learned that some of our patients have received a letter notifying them of an email security event and unfortunately, when the letters were generated, a mail merge issue created an incorrect status for some patients, addressing them as deceased or a minor,” said Saint Alphonsus in a statement about the error.

The breach has been reported to the HHS’ Office for Civil Rights by Saint Alphonsus Health System as affecting 134,906 patients. Saint Agnes Healthcare said 2,821 of its patients were affected.

4,122 Individuals Affected by Southeastern Minnesota Center for Independent Living Phishing Attack

Southeastern Minnesota Center for Independent Living (SEMCIL), a provider of disability and support services in Rochester and Winona, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 4,122 individuals.

An investigation into the security incident revealed the account was compromised on August 6, 2020 and access to the account remained possible until September 1, 2020. The investigation confirmed on December 22, 2020 that protected health information had been exposed, including names, addresses, dates of birth, Social Security numbers, driver’s license numbers, and some medical treatment information. Notification letters started to be sent to affected individuals on February 19, 2021.

The investigation did not uncover evidence to suggest any protected health information was viewed or obtained, and no reports have been received to indicate any PHI has been misused. As a precaution against identity theft and fraud, individuals whose Social Security number or driver’s license number were exposed have been offered complimentary identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.