Phishing Attacks Reported by Academic HealthPlans and Wayne County Hospital

Academic HealthPlans, Inc. (AHP) has discovered an unauthorized individual has gained access to the email accounts of two employees following responses to phishing emails.

AHP was alerted to a potential breach when suspicious activity was detected in its Microsoft Office 365 email environment. The affected accounts were secured, and an investigation was launched to determine the extent of the breach. On June 4, 2021, AHP determined that the email accounts were compromised as a result of phishing attacks between August 6, 2020 and August 24, 2020, and on October 2, 2020. The breach was limited to those two accounts and did not involve any other systems.

A comprehensive and time-consuming programmatic and manual review was conducted to identify the individuals and information affected. That review confirmed that the email accounts contained information related to the student health plans AHP administers.

The exposed data include student names, dates of birth, Social Security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. No evidence was found that suggested any emails or attachments in the accounts were actually viewed.

Affected health plans and self-insured universities were notified between June 21, 2021 and July 7, 2021, and AHP started sending notification letters to affected individuals on June 29, 2021. AHP has offered eligible individuals complimentary credit monitoring and identity theft protection services

Extensive training has been provided to employees to help them identify phishing emails and other threats and existing security measures have been enhanced.

The breach has been reported to the HHS’ Office for Civil Rights as affecting 2,330 individuals.

Wayne County Hospital in Iowa Notifies 2,016 Patients About Phishing Attack

Wayne County Hospital in Corydon, IA is alerting 2,016 patients about the potential theft of some of their protected health information. On March 22, 2021, the hospital became aware of a breach of its email environment. Email accounts were immediately secured to prevent further unauthorized access and a third-party cybersecurity company was engaged to investigate the breach and determine the extent of the attack.

The investigation revealed unauthorized individuals had gained access to email accounts as a result of employees responding to phishing emails. The compromised email accounts contained names, addresses, Social Security numbers, driver’s license numbers, financial account information, treatment or procedure information, medical provider or facility names, diagnoses, medications, medical record numbers, insurance information, and dates of service. There have been no reports of misuse of patient data to date.

Wayne County Hospital said appropriate steps will be taken to prevent similar breaches in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.