HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attacks Reported by Broome County, NY and UMassMemorial Community Healthlink

Broome County in New York has started notifying 7,048 individuals that some of their protected health information (PHI) was compromised in a phishing attack on county employees.

Broome County officials learned about the attack on January 2, 2019 when it was discovered that an employee’s direct deposit account information had been changed. An investigation was immediately launched which revealed ‘numerous’ Broome County email accounts had been compromised as a result of responses to phishing emails. Further, an unauthorized individual had also gained access to employees’ PeopleSoft accounts.

A computer forensics expert was hired to assist with the investigation and determine how and when access to the accounts was first gained. That investigation revealed the first accounts were compromised on November 20, 2018 and further accounts were compromised up to January 2, 2019.

Employee direct deposit information has been checked and all emails and email attachments in the compromised accounts have been analyzed.

Broome County says multiple county departments were affected, including the Department of Health. The Willow Point Nursing Home and Rehabilitation & Nursing Center were also affected.

The types of information in the emails varied from individual to individual, but may have included names, contact information, Social Security numbers, bank account numbers, other financial information, dates of birth, medical record numbers, patient identification numbers, health insurance information, claims information, and medical and clinical information such as diagnoses and treatment information.

Broome County will implement additional safeguards to protect against any future attempted cyberattacks, including multi-factor authentication, and additional training will be provided to staff.

Community Healthlink Phishing Attack Impacts 4,598 Patients

UMass Memorial Community Healthlink, a provider of behavioral health, addiction, and homeless services throughout central Massachusetts, has discovered the email accounts of two employees have been accessed by an unauthorized individual.

The breach was detected on April 18, 2019 and the accounts were secured. The breach investigation revealed the accounts were first accessed the same day and information in the compromised email accounts was only available for a limited time period.

No evidence was found to suggest emails had been viewed or copied; however, the following information may have been subjected to unauthorized access: Names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information, and in limited instances, Social Security numbers.

In response to the breach, passwords were reset, rules were strengthened to prevent email accounts from being accessed from external domains, automatic alerts have been increased, and defenses have been strengthened against email impersonation attacks. Further training has also been provided to employees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.