Phishing Incidents Reported by Connecticut Department of Social Services, Mercy Iowa City and LSU Care Services

Connecticut Department of Social Services (DSS) has reported a potential breach of the protected health information of 37,000 individuals as a result of a series of phishing attacks that occurred between July and December 2019.

Several email accounts were compromised and were used to send spam emails to several DSS employees, the investigation of which confirmed the phishing attacks. A comprehensive investigation was conducted using state information technology resources and a third-party forensic IT firm, but no evidence was found to indicate the attackers had accessed patient information in the email accounts. According to the DSS breach notice, “Due to the large volume of emails involved and the nature of the phishing attack, the forensic efforts could not determine with certainty that the hackers did not access personal information.”

Identity theft protection services have been offered to affected individuals as a precaution and steps have been taken to improve email security and better protect against phishing attacks in the future.

More Than 92,000 Individuals Affected by Mercy Iowa City Phishing Attack

Mercy Iowa City has started notifying 92,795 individuals that some of their protected health information was potentially compromised in a phishing attack. The attack involved a single email account which was accessed by an unauthorized individual between May 15, 2020 and June 24, 2020. The email account was used to send spam and phishing emails.

A review of the compromised account revealed it contained names, dates of birth, Social Security numbers, driver’s license numbers, treatment information, and health insurance information. Individuals whose driver’s license number or Social Security number were potentially compromised have been offered complimentary credit monitoring services for 12 months.

Mercy Iowa City has implemented additional safeguards to prevent further attacks, including multi-factor authentication on email accounts.

LSU Health Care Services Suffers Phishing Attack

The Louisiana State University (LSU) Health New Orleans Health Care Services Division has announced that an unauthorized individual has accessed the email account of an employee and potentially viewed or obtained the information of patients of several hospitals in Louisiana.

The email account was breached on September 15, 2020. The attack was discovered on September 18 and the email account was immediately disabled. An investigation was launched but no evidence was found to indicate patient information in the emails and attachments was accessed or obtained by the individual responsible.

A review of the breached email account revealed it contained the protected health information of patients of the following hospitals:

  • University Medical Center in Lafayette
  • Lallie Kemp Regional Medical Center in Independence
  • Leonard J. Chabert Medical Center in Houma
  • O. Moss Regional Medical Center in Lake Charles
  • Bogalusa Medical Center in Bogalusa
  • Interim LSU Hospital in New Orleans.
  • Earl K. Long Medical Center in Baton Rouge

The types of information potentially compromised varied from patient to patient and medical center to medical center, but may have included names, phone numbers, addresses, medical record numbers, account numbers, dates of birth, Social Security numbers, dates of service, types of services received, insurance ID numbers, and a limited number of financial account information and health information. The investigation into the breach is continuing, but so far “thousands” of patients are known to have had their information exposed.

LSU Health is currently evaluating additional security measures to better protect against further attacks and additional information security training has been provided to employees. The ePHI of 8,085 patients was potentially compromised.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.