Phishing Attacks Reported by University of Utah Health, Oregon DHS, and LifeSprk

The Minnesota-based senior care provider LifeSprk is notifying 9,000 of its clients that some of their protected health information was potentially compromised as a result of a November 2019 phishing attack.

On January 17, 2020, Lifesprk discovered an unauthorized individual had gained access to the email account of one of its employees. The account was immediately secured and a third-party cybersecurity firm was engaged to investigate the breach. The cybersecurity firm determined that a limited number of employee email accounts were compromised from November 5 through November 7, 2019.

For the majority of affected individuals, information in the compromised accounts was limited to names, medical record numbers, health insurance information, and some health information. Certain patients also had financial information and/or their Social Security number exposed.

The investigation into the breach is ongoing. To date, no evidence of data theft or misuse of protected health information has been found.

Affected patients started to be notified on March 17, 2020. The delay in sending notifications was due to “unprecedented actions taken in response to the Covid-19 (“Coronavirus”) pandemic.” Individuals whose Social Security number was exposed have been offered complimentary credit monitoring and identity theft protection services.  Lifesprk is now enhancing email security and will reinforce education with its employees about phishing emails.

PHI of University of Utah Health Patients Has Potentially Been Compromised

University of Utah Health announced on Friday that unauthorized individuals gained access to the email accounts of a limited number of employees between January 7, and February 21, 2020 and potentially accessed patients’ protected health information.

University of Utah Health discovered on February 3, 2020 that malware had been installed on an employee’s workstation which potentially gave unauthorized individuals access to patients’ protected health information.

The information stored in the email accounts and on the affected computer was limited to names, birth dates, medical record numbers, and some clinical information related to the care provided by University of Utah Health.

Affected patients are now being notified, security procedures are being reviewed and updated, and education will be reinforced with members of the workforce.

Two breach reports have been submitted to the Department of Health and Human Services’ Office for Civil Rights the first of which, submitted on March 21, indicates 3,670 patients were affected and the second, submitted on April 3, shows 5,000 patients were affected.

Oregon Department of Human Services Investigating Spear Phishing Attack

The Oregon Department of Human Services has discovered an unauthorized individual gained access to the email account of one of its employees as a result of a response to a spear phishing email.

Information technology security processes had been put in place to detect email account compromises rapidly, which has limited the potential for data theft. The email security breach was detected on March 6, 2020 and the account was immediately secured. The Oregon DHS will be seeking assistance from a third-party entity to review the incident and determine what information has been exposed and how many individuals have been affected. Those individuals will be notified in due course.

At this stage, there is no indication that any protected health information has been accessed, copied, or misused; however, out of an abundance of caution, identity theft protection services will be offered to all affected clients.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.