HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

South Country Health Alliance Breach Impacts 66,874 Plan Members

Owatonna, MN-based Minnesota South Country Health Alliance has discovered an unauthorized individual accessed the email account of an employee that contained the protected health information of 66,874 of its members.

The email account breach was detected on September 14, 2020, with the subsequent investigation revealing the account was first accessed by an unauthorized individual on June 25, 2020. The review of the email account was completed on November 5, 2020 and revealed it contained personal and protected health information such as names, addresses, Social Security numbers, Medicare and Medicaid numbers, health insurance information, diagnostic or treatment information, date of death, provider name, and treatment cost information.

Notifications were sent to all affected members on December 30, 2020. The delay in issuing notifications was due to the time taken to identify current mailing addresses for affected individuals.

The breach investigation did not uncover any evidence to suggest any protected health information in the account was viewed or obtained or has been misused. South Country Health Alliance is providing complimentary credit monitoring and identity protection services to members potentially affected by the breach.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Precision Spine Care Email Breach Impacts 20,787 Patients

Tyler, TX-based Precision Spine Care has reported a breach of an email account and the exposure of the protected health information of 20,787 patients.

An unauthorized individual gained access to an employee’s email account and attempted to divert funds to their bank account. The aim of the attack appears to have been solely to commit payment fraud, which was unsuccessful. The investigation into the incident involved a review of the compromised email account, which was found to contain names, addresses, dates of birth, and some health information.

No evidence was found to indicate any protected health information in the account was accessed by the attacker. Notifications were sent to all affected individuals in January 2021.

AllCare Health Members Affected by Mailing Vendor Ransomware Attack

The Oregon-based health plan AllCare Health Inc. is notifying 5,000 members that some of their protected health information may have been obtained by unauthorized individuals in a ransomware attack on its mailing vendor. Metro Presort Inc. handles large mailing projects for the health plan and experienced a ransomware attack in May 2019.

The long delay in issuing notifications was due to the health plan only being notified about the ransomware attack on November 24, 2020. Metro Presort had investigated the breach after securing its systems and determined that all patient information was encrypted prior to the ransomware attack and could therefore not have been accessed by the attackers. In October 2020, Metro Presort reviewed the incident and realized it was not possible to prove patient information had not been accessed as the data required to prove files were protected prior to the attack was encrypted by the ransomware and was rendered inaccessible.

AllCare Health determined the information that could potentially have been accessed was limited to names, addresses, birth dates, health plan ID numbers or account numbers, appointment dates, types of treatment, and diagnosis treatment codes.

The mailing vendor has since implemented additional technical safeguards and further protections to ensure customer data are encrypted. Additional security audits are now being conducted and the mailing vendor has arranged for regular third-party security reviews to be conducted.

Jefferson Healthcare Phishing Attack Impacts 2,550 Individuals

WA-based Jefferson Healthcare has discovered the email account of an employee has been accessed by an unauthorized individual following a response to a phishing email. The email contained what appeared to be a DocuSign document that required login credentials to open the file.

The breach was limited to a single email account and no other systems were compromised. An investigation into the attack revealed the email account was subjected to unauthorized access on November 12, 2020.

A review of the compromised account revealed it contained the protected health information of 2,543 patients. More than 30,000 file attachments had to be manually checked to determine whether they contained patient information.

While some personal and protected health information was contained in the emails and attachments, for the majority of affected patients, the information was not especially sensitive. The Social Security and/or financial information of 84 patients were contained in the account. Those individuals have been offered complimentary credit monitoring services.

The breached email account was used to send further malicious emails to individuals in the address book. In total, 658 emails were sent from the account. Those individuals were notified and instructed not to open the attached file.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.