HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Relation Insurance and Rainbow Hospice Care Experience Email Security Breaches

Relational Insurance Inc., an insurance brokerage firm doing business as Relation Insurance Services of Georgia (RISG), experienced an email security breach in August 2019. An unauthorized individual was discovered to have gained access to the email account of an employee and potentially viewed or copied emails containing protected health information (PHI).

The breach was detected on August 15, 2019 when suspicious activity was detected in the email account. A third-party computer forensics firm assisted with the investigation and determined the account was accessed by an unauthorized individual between August 14 and August 15.

On August 16, 2019, RISG determined the account contained PHI; however, it took until December 13, 2019 for a full review of the account to be completed to determine which individuals had been affected and exactly what information was potentially compromised.

The account was found to contain a wide range of information, which differed from individual to individual. The breached PHI may have included: Name, address, telephone number, email address, date of birth, driver’s license number, Social Security number, passport number, state issued identification number, copies of marriage or birth certificates, account and routing number, financial institution name, credit/debit card number, PIN, expiration date, treatment information, prescription information, provider name, medical record number, patient ID, health insurance information, treatment cost, medical history, mental or physical condition, diagnosis code, procedure type, procedure code, treatment location, admission date, discharge date, medical device number, and date of death.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Steps have been taken to improve email security and prevent similar breaches in the future. The breach report submitted to the HHS’ Office for Civil Rights indicates the PHI of up to 4,335 individuals was potentially compromised.

Email Security Breach Discovered by Rainbow Hospice Care, Inc.

Jefferson, WI-based, Rainbow Hospice Care, Inc. has discovered an employee’s email account has been accessed by an unauthorized individual and the protected health information of 2,029 current and former patents may have been viewed or downloaded.

Third-party forensic investigators were engaged to investigate the breach. While they confirmed that the account had been accessed by an unauthorized individual, they were unable to determine whether any patient information was accessed or exfiltrated.  An analysis of the compromised account revealed it contained patient names, dates of birth, treatment information, medical record numbers, and Social Security numbers.

Patients have been notified about the breach and have been offered complimentary credit monitoring services through Experian. Rainbow Hospice Care is unaware of any cases of misuse of patient information and said in its substitute breach notice that it believes misuse of patient information is unlikely.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.