HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Roundup of Recent Healthcare Phishing and Malware Incidents

A round up of recent healthcare privacy breaches that have been reported to the HHS’ Office for Civil Rights and state Attorneys General recently.

Twelve Oaks Recovery Discovers Malware Infection and Data Theft

Twelve Oaks Recovery, a Navarre, FL-based addiction and mental health treatment center, has discovered an unauthorized individual gained access to its network, installed malware, and stole documents from its systems. The attack was detected on December 13, 2020 when unusual network activity was detected. A forensic investigation confirmed malware had been deployed on December 13, and the following day data exfiltration was confirmed.

A review of the documents obtained by the attacker revealed they contained the protected health information of 9,023 patients, and included names, addresses, dates of birth, medical record numbers, and Social Security numbers.

Twelve Oaks Recovery has enhanced its network monitoring tools and taken steps to prevent similar breaches from occurring in the future.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Rainbow Rehabilitation Centers Discovers Email Account Breach

Rainbow Rehabilitation Centers, a Livonia, MI-based provider of therapeutic rehabilitation services for individuals with brain and spinal cord injuries, has discovered an unauthorized individual gained access to an employee’s email account that contained the protected health information of 1,749 patients and information about its employee group health plans.

Third party forensic experts were engaged to investigate the breach and confirmed that a single email account was breached. A review of the account revealed it contained PHI such as names, social security numbers, driver’s license numbers, appointment scheduling notes, and medical plan and benefits enrollment information. It was not possible to determine if any of that information was accessed by the attacker, but no reports have been received that suggest any patient information has been misused.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Summit Behavioral Healthcare Email Accounts Compromised

Summit Behavioral Healthcare, a Brentwood, TN-based provider of behavioral health services and operator of 18addition treatment centers throughout the United States, has discovered two employee email accounts were compromised, starting in late May 2020.

A third-party digital forensics firm was engaged to investigate the breach and on January 21, 2021 it was confirmed that protected health information was contained in the compromised accounts and may have been accessed or obtained by unauthorized individuals.

The information in the accounts varied from individual to individual and may have included names in combination with one or more of the following types of data: Social Security number, diagnosis or symptom information, treatment information, prescription information, health insurance numbers, medical history, financial account information, Medicaid / Medicare identification numbers, and health care provider information.

Affected individuals have been notified and offered a complementary 12-month membership to credit monitoring and identity theft protection services.

Email Account Breach Discovered at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center in Elgin, ND has discovered an email account containing the protected health information of 1,545 patients has been accessed by an unauthorized individual.

The breach was detected on or around August 5, 2020 and a third-party cybersecurity firm was hired to investigate the breach and determine if any information had been accessed. It appears that the attack was conducted in order to send spam emails from the account; however, it is possible that patient information was viewed.

The account contained names, addresses, dates of birth, email addresses, Social Security numbers, phone numbers, insurance policy numbers, credit card numbers, bank account numbers, and some health information.

A new facility-wide security system has now been implemented, policies and procedures have been updated, and additional training has been provided to staff and vendors on data protection. Affected individuals have been offered complementary credit monitoring and identity theft restoration services.

Kaiser Permanente Fires Employee for Inappropriate PHI Access

Kaiser Permanente has fired an employee for accessing members’ medical records without authorization. The privacy breach was detected on December 28, 2020 and the investigation confirmed the records were accessed for reasons unrelated to individuals’ healthcare service needs. The types of information in the records included names, addresses, telephone numbers, email addresses, dates of birth, and photographs, but no other sensitive information.

Kaiser Permanente is reviewing its policies and procedures and will be implementing additional safeguards, as appropriate, to prevent similar privacy breaches in the future. The records of up to 2,121 individuals were potentially accessed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.