Slew of Email Security Breaches Reported by Healthcare Organizations
A further 5 healthcare data breaches of 500 or more records have recently been reported by HIPAA-covered entities and their business associates.
Email Account Breach Reported by Shields Health Solutions
Shields Health Solutions, a Stoughton, MA-based provider of specialty pharmacy services to hospitals and other covered entities, has discovered an unauthorized individual gained access to the email account of an employee and potentially viewed/copied protected health information.
Suspicious activity was detected in the email account of an employee on October 24, 2019. Assisted by a cybersecurity firm, Shields Health Solutions determined an unauthorized individual accessed the account between October 22 and October 24, 2019. The breach was confined to a single email account.
The email account contained messages and attachments that included patient names, dates of birth, medical record numbers, provider names, clinical information, prescription information, insurer names, and limited claims information. No evidence was uncovered that suggests patient information was accessed or copied.
Shields Health Solutions has since taken steps to improve email security, including implementing multi-factor authentication on all employee email accounts. Notification letters were sent to affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal indicates 1,277 individuals were affected.
Lafayette Regional Rehabilitation Hospital Email Breach Impacts 1,360 Patients
Lafayette Regional Rehabilitation Hospital in Lafayette, IN, has discovered an unauthorized individual gained access to the email account of an employee in July 2019 and potentially viewed patients’ protected health information.
The breach was detected on November 25, 2019, prompting a thorough investigation to determine whether any patient information had been accessed by unauthorized individuals. No evidence was found to indicate patient information was viewed or copied, but it was not possible to rule out the possibility. The compromised account was found to contain names, dates of birth, and clinical and treatment information related to medical services received at the hospital. A limited number of patients also had their Social Security number exposed.
Notification letters were sent to affected patients on January 24, 2019. Individuals whose Social Security number was exposed have been offered complimentary credit monitoring services. Lafayette Regional Rehabilitation Hospital has since taken steps to improve email security and employees have had security awareness training reinforced.
The breach report submitted to the OCR indicates up to 1,360 patients were affected by the breach.
6,524 Individuals Impacted by Phishing Attack on MHMR of Tarrant County
My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX, has experienced a phishing attack involving the email accounts of a small number of its employees. The phishing attack was detected on December 3, 2019.
The investigation revealed the accounts were accessed by an unauthorized individual between October 12 and October 14, 2019. Emails in the account were found to include names, Social Security numbers, Driver’s license numbers, and some information about the care received at MHMR.
It was not possible to determine whether patient information was viewed, and no information has been received to suggest that any patient information has been misused. Out of an abundance of caution, all individuals whose information was stored in emails in the compromised accounts have been notified by mail. Individuals whose Social Security number or driver’s license number was exposed have been offered complimentary credit monitoring and identity theft protection services.
Additional email security training has now been provided to staff and steps have been taken to enhance its security infrastructure and systems.
Reva Phishing Attack Impacts 1,000 Patients
The medical transportation service provider, Reva, has announced that the protected health information of approximately 1,000 patients has potentially been accessed by an unauthorized individual as a result of a phishing attack.
Suspicious activity was detected in the email account of an employee on September 12, 2019. The account was secured and an investigation was launched, which revealed further email accounts had also been compromised. Those accounts had been subjected to unauthorized access between July 23, 2019 and September 13, 2019.
A review of the compromised accounts revealed they contained patients’ names, travel insurance information, dates of service, limited clinical information, passport numbers, driver’s license numbers, and a small number of Social Security numbers.
Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number or driver’s license number was exposed. Affected individuals were notified by mail on January 22, 2019.
Email security has been enhanced in response to the breach, multi-factor authentication has been implemented, and further security awareness training has been provided to employees.
Lawrenceville Internal Medicine Associates Email Error Exposed 8,031 Patients’ Email Addresses
Lawrenceville Internal Medicine Associates (LIMA) in Lawrence Township, NJ, is alerting 8,031 individuals about an email error that exposed patients’ email addresses. The error also impacted certain patients of Endocrinology Associates of Princeton, LLC.
An email announcement was sent to patients on October 29, 2019. Two days later, it was brought to the attention of LIMA that the email addresses of other patients may have been visible in the BCC field of the email. No other information was exposed as a result of the error.
Additional training has been provided to the IT department, email security policies and procedures have been strengthened, and LIMA has changed the email system used to send email communications to patients.