25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Sutter Health Notifies Patients of Business Associate Phishing Incident

Posted By on Feb 20, 2018

Sutter Health is notifying certain patients that some of their protected health information has been exposed following a phishing attack on one of its business associates – the legal firm Salem and Green.

On or around October 11, 2017, a phishing email was received by a staff member at Salem and Green, the response to which gave the attackers access to that individual’s email account. Upon discovery of the attack, a forensics firm was contracted to perform an analysis of the affected computer and network to determine the extent of the attack and whether any sensitive information had been obtained.

The investigation revealed the security breach was limited to a single email account and that access to the account was only possible for two days. During the time that the email account was accessible, the attacker had access to all emails in the account, some of which contained the protected health information of certain Sutter Health patients.

The types of information potentially accessed by the attacker was limited to names, dates of birth, driver’s license numbers, Social Security numbers, and other professional ID numbers.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Data access and theft was not confirmed, although it was also not possible to rule out data access/theft with a high degree of confidence. Sutter Health believes the risk of data misuse is low.

Out of an abundance of caution, all individuals impacted by the incident have been offered complimentary credit monitoring and identity theft protection services for 12 months.

Sutter Health reports that the legal firm has taken steps to enhance security to prevent further breaches of this nature and staff have been provided with security awareness training to help them identify email threats such as phishing. The legal firm has also now implemented 2-factor authentication controls on all email accounts which will prevent account access from unknown devices.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist