HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Reliable Respiratory Phishing Attack Impacts 21,000 Patients

The Norwood, MA-based respiratory care provider Reliable Respiratory has experienced a phishing attack that has affected several thousand of its patients.

A cyberattack was suspected on July 3, 2018, following the detection of unusual activity in an employee’s email account. An investigation was launched to determine the cause of that activity, which revealed the employee had been targeted with a phishing campaign. The response to a phishing email resulted in the disclosure of that individual’s login credentials.

The unusual account activity was detected on July 3 and the account was immediately secured. Computer forensic specialists were retained to determine the nature and extent of the breach. The breach investigation confirmed that the account had been accessed by an unauthorized individual between June 28 and July 2. An analysis of the emails contained in the account showed a wide range of protected health information could potentially have been accessed by the attacker.

Patients are now being notified of the breach by mail and have been advised to monitor their account statements and explanation of benefits statements closely for signs of identity theft and fraud. No mention was made in its substitute breach notice about whether credit monitoring and identity theft protection services are being offered to affected patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Patients affected by the breach may have had the following types of protected health information exposed: Name, date of birth, medical record number, medical diagnosis, treatment information, medication/prescription information, username and password, patient claim/billing information, health insurance information, driver’s license number, state identification number, Social Security number, passport number, bank or financial account information, and credit or debit card information.

Reliable Respiratory will be implementing additional safeguards to improve the security of its systems and will update its policies and procedures to reduce the risk of experiencing future cyberattacks.

The report submitted to the Department of Health and Human Services’ Office for Civil Rights shows 21,311 patients were affected by the phishing attack.

Carpenters Benefit Funds of Philadelphia Email Security Incident

A similarly sized email breach was reported to OCR by Carpenters Benefit Funds of Philadelphia on August 31, 2018. The email hacking incident resulted in the exposure and possible theft of 20,015 plan members’ records.

A substitute breach notice has not yet been uploaded to the Carpenters Benefit Funds of Philadelphia website and a prominent media outlet does not appear to have been notified of the breach at the time of writing, so the exact nature of the breach is not yet known.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.