HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attacks Reported by Hartford Healthcare and Saint Francis Ministries

The Saint Francis Ministries health system has announced that the email account of one of its employees was accessed by an unauthorized individual, who may have obtained patient information.

The breach was identified on December 19, 2019 when suspicious activity was detected in an employee’s email account.  A third-party computer forensics firm was engaged to investigate the breach and determined on February 12, 2020 that the account was subjected to unauthorized access between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails containing patient information or downloaded any email data, but no reports have been received to suggest any patient information has been misused.

A review of the affected accounts was completed on March 24, 2020 which revealed that the following information was potentially compromised: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name, medical record number, Medicare/Medicaid number, health insurance information, treatment cost information, and username and password.

Saint Francis Ministries started mailing notification letters to affected individuals on April 12. Complimentary credit monitoring and identity theft protection services have been offered to affected patients and steps are being taken to improve email security to prevent similar breaches in the future.

2,651 Patients of Hartford Healthcare Potentially Impacted by Phishing Attack

Hartford Healthcare, a healthcare network serving patients in Connecticut and Rhode Island, announced on April 13, 2020 that it has been the victim of a phishing attack. The attack was discovered on February 13, 2020 when unusual activity was detected in the email accounts of two employees.

Assisted by a third-party computer forensics team, Hartford Healthcare determined that the attackers accessed the email accounts between February 13 and February 14, 2020.

At least one of the email accounts was discovered to include the protected health information of certain patients, such as names, medical record numbers, health insurance information, and other health-related data. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare said 2,651 patients have been affected and are now being notified. The 23 individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services for 2 years.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.