Security Breaches Reported by DePaul and Southern Hills Eye Care

DePaul, a provider of assisted living facilities and healthcare services in New York, North Carolina, and South Carolina, is alerting certain members of its behavioral health program that some of their protected health information has been exposed as a result of a phishing attack.

The breach was discovered on February 1, 2019 and the account was immediately secured. The investigation into the breach confirmed that a single email account had been compromised as a result of an employee being fooled by a phishing scam. The email account contained approximately 41,000 emails, which needed to be checked to determine whether they contained any sensitive information.

The vast majority of the emails in the account did not contain any significant medical or psychiatric information; however, a small number of emails contained information such as first and last names, dates of birth, and/or Social Security numbers.

The aim of the attack appeared to be to use the compromised email account to send further phishing emails. No evidence was found to suggest the attacker viewed or copied emails containing sensitive information.

Individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring services for one year.  DePaul will be providing staff with additional training to improve resilience to phishing attacks.

The HHS’ Office for Civil Rights breach portal shows 902 DePaul members were affected by the breach.

Southern Hills Eye Care Ransomware Attack Reported

Southern Hills Eye Care in Sioux City, IA, has experienced a security incident which may have resulted in the exposure of patients’ protected health information.

On January 15, 2019, ransomware was installed on a server in its Sioux City offices and files were encrypted. A forensic investigation confirmed that an unauthorized individual had gained access to the server and may have viewed files containing patients’ protected health information. The types of information in the files included names, addresses, dates of birth, phone numbers, health information, health insurance information, and the Social Security numbers of Medicare patients.

While data access was possible, no evidence was uncovered to suggest any patient information was accessed by unauthorized individuals. Additional security controls have now been implemented to prevent any future breaches of this nature.

The breach has yet to appear on the OCR breach portal so it is currently unclear how many patients have been affected. Notifications were sent to affected patients on March 15, 2019.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.