HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Sutter Health Notifies Patients of Business Associate Phishing Incident

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green.

On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained.

The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients.

The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security numbers, and other professional ID numbers.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Data access and theft was not confirmed, although it was also not possible to rule out data access/theft with a high degree of confidence. Sutter Health believes the risk of data misuse is low.

Out of an abundance of caution, all individuals impacted by the incident have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Sutter Health reports that the legal firm has taken steps to enhance security to prevent further breaches of this nature and staff have been provided with security awareness training to help them identify email threats such as phishing. The legal firm has also now implemented 2-factor authentication controls on all email accounts which will prevent account access from unknown devices.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.