Phishing Attack on California Business Associate Impacts 14,591 DHS Patients

Nemadji Research Corporation, doing business as California Reimbursement Enterprises, has announced an unauthorized individual has gained access to the email account of an employee and may have viewed or copied the protected health information (PHI) of its clients’ patients.

California Reimbursement Enterprises is a business associate of several healthcare facilities and hospitals in California and provides patient eligibility and billing services. The company also provides services to the Los Angeles County Department of Health Services (DHS).

A potential email account breach was detected on March 28, 2019 when IT staff identified unusual activity in an employee’s email account. Assisted by a third-party computer forensics expert, Nemadji determined the employee responded to a phishing email the same day and the attacker accessed the account for several hours.

All emails in the account were checked and on June 5, 2019, Nemadji confirmed that patient information had been exposed and notifications were issued to affected business partners.

The breached email account contained correspondence between California Reimbursement Enterprises and DHS related to the services provided. Some of those emails included some individuals’ PHI. Nemadji notified DHS about the breach on June 26, 2019 and confirmed 14,591 DHS patients had been affected.

The information potentially viewed of copied was limited to names in combination with one or more of the following data elements: Address, telephone number, date of birth, medical record number, patient account number, admission date(s), discharge date(s), Medi-Cal ID number, month, and year of service. Four patients also had diagnostic codes exposed and two patients had their Social Security number exposed.

Affected patients have been offered complimentary credit monitoring and identity theft protection services and were sent breach notifications on July 8, 2019.

Nemadji has reviewed its cybersecurity defenses and additional security measures have been implemented to reduce the risk of further breaches. Employees have been given additional training and email security protections have been enhanced.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.