HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Phishing Attacks Reported by Sunrise Community Health and Katherine Shaw Bethea Hospital

Evans, CO-based Sunrise Community Health has discovered the email accounts of several employees were compromised as a result of employees responding to phishing emails. The email accounts were accessed by unauthorized individuals between September 11, 2019 and November 22, 2019.

Assisted by third party computer forensics experts, Sunrise Community Health determined on November 5, 2019 that the compromised email accounts contained the protected health information of certain patients. The types of data present in the email accounts varied from patient to patient and may have included names, dates of birth, Sunrise patient ID numbers, Sunrise provider names, dates of service, types of clinical examinations performed, the results of those examinations, diagnoses, medication names, and names of health insurance carriers.

Sunrise Community Health does not believe the aim of the attack was to obtain patient information, but the possibility of unauthorized data access and data theft could not be ruled out. The attackers appeared to be targeting invoice and payroll information.

The investigation into the attack is continuing but breach notification letters have now been sent to affected individuals. Sunrise Community Health is offering affected patients complimentary credit monitoring and identity theft restoration services.

1,486 Katherine Shaw Bethea Hospital Patients Impacted by Phishing Attack

Katherine Shaw Bethea Hospital in Dixon, IL has discovered an unauthorized individual has gained access to the email account of an employee and potentially obtained a spreadsheet containing the protected health information of 1,486 patients.

The spreadsheet contained names, dates of birth, phone numbers, health insurance carrier names, diagnoses, and clinical information of patients under 18 years of age who had visited the emergency department between November 1, 2018 and May 1, 2019.

Katherine Shaw Bethea Hospital has implemented additional measures to improve email security and all staff members have been provided with further cybersecurity training to help them identify phishing scams.

NYC Health + Hospitals Alerts Patients to Improper Disclosure Incident

NYC Health + Hospitals is alerting patients who received treatment following a motor vehicle accident that some of their protected health information may have been impermissibly disclosed to third parties by an employee.

NYC Health + Hospitals was notified on October 3, 2019 that one of its employees had disclosed patient information to third parties such as law firms between 2016 and November 2019.

NYC Health + Hospitals is assuming that all patients who received treatment at its hospitals and clinics following a motor vehicle accident may have been affected. The investigation into the incident is ongoing and appropriate disciplinary action is being taken against the employee concerned.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.