HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Three Healthcare Phishing Incidents Result in Exposure of 10,000 Patient Records

National Seating and Mobility, Partners for Quality, and Alana Healthcare have all recently started notifying patients that their protected health information has been exposed as a result of phishing incidents.

3,673 Clients Impacted by Partners For Quality Phishing Attack

Partners For Quality, Inc., (PFQ), a provider of services and support for individuals with intellectual and developmental disabilities, discovered unusual activity within certain employee email accounts on February 19, 2019.

Assisted by a third-party computer forensics company, PFQ determined that three email accounts had been accessed by an unauthorized individual between January 19 and February 27, 2019. Further analysis of the compromised email accounts revealed they contained the sensitive information of clients and employees.

Clients affected by the breach had previously received services from PFQ, Allegheny Children’s Initiative Inc., Citizen Care Inc., Exceptional Adventures, or Milestone Centers Inc.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A wide range of highly sensitive protected health information was stored in the compromised email accounts such as names, dates of birth, Social Security numbers, medical record numbers, billing and claims information, health insurance information, driver’s license numbers, banking and financial account numbers, credit and debit card numbers, PIN numbers, usernames and passwords, diagnoses and treatment information.

While data access was possible, no reports have been received to suggest any client or employee information has been misused. All individuals for whom a valid postal address was held have been notified about the breach by mail.

PFQ has reviewed and updated its policies and procedures and has put additional safeguards in place to improve the security of sensitive information stored in its systems.

Affected individuals have been given further information on how they can protect their identities and have been advised to monitor their accounts for signs of identity theft and fraud. Despite the nature of information that was exposed, it does not appear that affected individuals are being offered credit monitoring and identity theft protection services.

According to the breach summary on the HHS’ Office for Civil Rights website, 3,673 clients were affected by the breach.

National Seating and Mobility Phishing Attack Impacts 3,800 Patients

Franklin, TN-based National Seating and Mobility (NSM), a manufacturer of seating and mobility systems, has discovered unauthorized individuals have gained access to the email accounts of some of its employees as a result of a phishing attack.

The email accounts were breached on or around February 14, 2019 and unauthorized access was promptly terminated. The quick response severely limited the time the attackers had to access emails in the account. NSM conducted an investigation and, assisted by third-party computer experts, determined that the email accounts contained a limited amount of client information – Names, addresses, dates of birth, diagnosis/diagnostic codes, and other information related to the provision of a mobility device. Certain individuals also had their Social Security number, driver’s license number, health insurance information, Medicare/Medicaid number, and/or guarantor’s personal information exposed.

The third-party computer experts concluded on March 12, 2019, that due to the method of access, the email accounts of some employees may have been inadvertently copied during the standard email synchronization process.

While no evidence has been uncovered to suggest there has been any misuse of the exposed information, individuals affected by the breach have been offered free credit monitoring and identity theft protection services. NSM is reviewing its security measures and will take steps to enhance protections to prevent any further breaches.

The breach report submitted to the HHS’ Office for Civil Rights indicates up to 3,800 individuals were affected by the breach.

Alana Healthcare Phishing Incident Impacts 2,691 Patients

On January 17, 2019, the Nashville, TN-based care management company Alana Healthcare discovered an unauthorized individual had gained access to the email account of an employee.  Assisted by a third-party computer forensics company, Alana Healthcare determined on March 14, 2019 that the email account contained sensitive information of 2,691 patients.

Names, dates of birth, Social Security numbers, and some health information were exposed and potentially subjected to unauthorized access. Affected patients have been notified by mail and have been offered credit monitoring and identity theft protection services as a precaution, although no reports have been received to suggest any patient information has been misused.

To prevent further data breaches, Alana Healthcare will be providing employees with additional training and testing on the need to protect sensitive information and multi-factor authentication will be implemented on employee email accounts.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.