Sensitive Data Potentially Compromised in Tennessee Hospice Phishing Attack
Alive Hospice in Nashville, TN, a provider of end-of-life care, palliative care, bereavement support and community education in middle Tennessee, has announced that the email account of an employee was subjected to unauthorized access in May 2019.
Around May 6, 2019, suspicious activity was detected in an employee’s email account. The password for the account was immediately changed and an investigation was launched into the cause of the breach.
The investigation revealed the email account was compromised on May 4, 2019 and hackers had access to the email account for a period of two days. Only one email account was compromised. Unauthorized account access was confirmed, but no evidence was found to suggest any patient information was accessed or stolen.
The types of information in emails and email attachments varied from patient to patient and may have included the following types of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license number, financial account number, medical history, treatment information, prescription information, treating or referring physician information, medical record number, health insurance information, Medicare or Medicaid number, username/email and password information.
Alive Hospice has conducted a review of its security protections and will be implementing additional safeguards to help prevent further attacks. Affected individuals have been offered complimentary credit monitoring and identity theft protection services.
The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights but the incident has yet to appear on the OCR breach portal, so it is currently unclear how many individuals have been affected.
Californian Medical Staffing Agency Victim of Phishing Attack
The Roseville, CA-based medical staffing agency Flexcare LLC has discovered it has been the victim of a phishing attack.
The email account of a single employee was temporarily compromised as a result of a response to a phishing email. The agency’s email security system detected unusual activity in the account shortly after the phishing email was received and the account was automatically shut down.
Computer forensic professionals were hired to help analyze the breach and determine whether the attacker gained access to the employee’s email account and whether any PHI had been viewed or copied.
Despite the prompt account shut down, the investigation confirmed that the account had been subjected to unauthorized access. While no evidence of data access or data theft were found, the forensics investigators concluded that during the time that access was possible, patients’ PHI may have been viewed or copied.
A detailed analysis of emails in the compromised account revealed affected patients had their name exposed along with one of more of the following types of PHI: Address, date of birth, driver’s license number, Social Security number, medical information such as vaccination history, drug test results, and annual health questionnaire answers.
Flexcare will be providing employees with further training on email and network security and multi-factor authentication is being implemented. Affected individuals have been offered 12-month free membership to CyberScout credit monitoring and identity theft protection services.