HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Salem Health Hospitals & Clinics and Delta Dental of Arizona Notify Patients About Phishing Attacks

Salem Health Hospitals & Clinics in Oregon experienced a phishing attack on July 31, 2019 that resulted in an unauthorized individual gaining access to the email accounts of several employees. The breach was detected within a day of the accounts being accessed and the compromised accounts were secured.

Patients were notified about the breach on September 27 and were told that a review of the affected accounts was underway. The compromised email accounts were expected to contain a limited amount of patient information such as names, dates of birth, and information related to the medical services patients had received. At the time of issuing the notice, the investigation into the breach was ongoing.

On Thursday, November 7, 2019, Salem Health spokesperson, Elijah Penner, said “The incident was reviewed thoroughly, and Salem Health has no indication that any patient information has been misused.” No evidence was uncovered to suggest patient information in emails and email attachments was accessed.

Salem Health has advised affected patients to exercise caution and monitor their accounts and explanation of benefits statements for signs of fraudulent activity. Email security is being enhanced and Salem Health will be reinforcing education of employees to help them identify and avoid malicious emails in the future.

The breach has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many patients have been impacted by the security breach.

Delta Dental of Arizona Notifies Members About July Phishing Attack

The Glendale, AZ-based dental insurance company, Delta Dental of Arizona, has announced it has experienced an email security breach in which the information of plan members has been exposed. The security breach came to light on July 8, 2019 following the detection of suspicious activity in an employee’s email account.

The attacker used the employee’s credentials to access the email account on July 8. According to the substitute breach notice on the Delta Dental website, determining which members had information exposed was “a lengthy and labor-intensive process.”

Delta Dental of Arizona issued a statement on November 8, 2019 confirming the investigation found no evidence of unauthorized data access, although it was not possible to rule out unauthorized data access. Consequently, affected members have been notified as a precaution.

The types of information in the email account included names, addresses, dates of birth, member ID numbers, Social Security numbers, driver’s license numbers, passport numbers, financial account information, credit/debit card numbers, dental insurance information, usernames/passwords, and digital signatures.

The HHS’ Office for Civil Rights breach portal indicates 12,866 members have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.