HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Spokane Regional Health District Announces Second Phishing Attack in 3 Months

Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email.

On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded.

Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result, treatment information, medication information, delivery dates and any treatments provided to the baby, diagnostic information, medical information, and client notes.

A spokesperson for SRHD said corrective actions have been taken to mitigate the current breach and prevent further phishing attacks, including reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” said SRHD Deputy Administrative Officer, Lola Phillips. “We have a strong commitment to safeguard personal information, and we are working diligently to reduce the likelihood of future events.”

On January 24, 2022, SRHD announced that an employee email account had been compromised on December 21, 2021. The email account contained the sensitive data of 1,058 individuals, including names, birth dates, case numbers, counselor names, test results and dates of urinalysis, medications, and date of last dose.

After that attack, SRHD said it will be reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.

Catholic Health Notifies Patients About Data Theft Incident at Business Associate

Catholic Health has recently started notifying approximately 1,300 patients that some of their protected health information has been exposed in a cyberattack on its business associate, Ciox Health.

Buffalo, NY-based Ciox Health provides health information management services to healthcare providers and insurers. Between June 24, 2021, and July 2, 2021, emails and attachments in a Ciox Health employee’s email account were downloaded by an unauthorized individual.

The breach was detected last year and in September 2021, Ciox Health learned that the email account contained patient information related to billing inquiries and customer service requests. A review of the information in the account was completed in early November, and affected providers and insurers were notified between November 23 and December 30, 2021.

Catholic Health said the compromised information included patient names, provider names, dates of birth, dates of service, health insurance information, and/or medical record numbers. “While Ciox’s investigation did not find any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today, Ciox is notifying affected Catholic Health patients,” said Catholic Health, in a March 30, 2022 post on its website.

Central Minnesota Mental Health Center Announces Email Account Breach

Central Minnesota Mental Health Center (CMMHC) has recently started notifying patients that unauthorized individuals have gained access to some of its email accounts. CMMHC identified potentially malicious activity in its email environment on October 21, 2021. A password reset was performed to prevent further unauthorized access and a third-party forensics company was engaged to investigate the nature and scope of the security breach.

On or around November 23, 2021, CMMHC learned that multiple email accounts had been synched, and that emails in the accounts had likely been obtained by the attackers. The investigation revealed the attackers had access to the email accounts between September 20, 2021, and October 29, 2021.

A review of the affected email accounts revealed they contained clinical information, mailing addresses, patient account number, treatment location, doctor’s name and treatment/procedure information. In less common situations, the emails contained names, telephone numbers, date of birth, Social Security number, and, in some instances, driver’s license number, and/or credit card/financial account numbers.

Additional safeguards and security measures have now been implemented to enhance the privacy and security of information in its systems and affected individuals have been notified and offered complimentary identity protection and credit monitoring services

The breach has been reported to the HHS’ Office for Civil Rights as affecting 28,725 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.