Two Employees of the Alive Hospice in Tennessee Fooled by Phishing Scam

The email accounts of two employees of the Alive Hospice in Tennessee have been compromised as a result of the employees falling for phishing scams.

The email account breaches were identified during a review of the email system on May 15, 2018. During the review, ongoing unauthorized access to the email accounts was detected. Alive Hospice immediately took steps to block third-party access by performing a password reset, and third-party forensics investigators were called in to determine the nature and scope of the breach.

The investigation revealed the first email account was compromised on or around December 20, 2017, with the second account compromised on or around April 5, 2018. An analysis of both email accounts revealed they contained the protected health information of patients, which may have been accessed by the person(s) responsible for the attacks.

The types of information that may have been accessed varied for each patient and included names, dates of birth, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, copies of birth/death certificates, medical histories, prescription information, treatment information, health insurance numbers, biometric identifiers, IRS PIN numbers, digital signatures, security questions and answers, username/email and password information.

The investigation into the breach revealed no evidence to suggest any of the information was viewed or downloaded by the attacker, and neither have any reports been received to suggest there has been any misuse of patients’ PHI.

All individuals impacted by the breach were sent breach notification letters on July 13, 2018 and have been offered 12 months of credit monitoring and identity theft protection services without charge.

Due to the extensive range of sensitive information that has potentially been compromised, patients should carefully monitor their account statements and explanation of benefits forms for any sign of fraudulent activity.

Alive Hospice had “stringent security measures in place” to protect against the unauthorized accessing of PHI, although in this case those measures were undone by phishing emails. Alive Hospice has said it is implementing additional safeguards to improve its security posture and protect against further attacks.

It is currently unclear how many patients have been impacted as the incident has yet to be uploaded to the HHS’ Office for Civil Rights breach portal. No mention was made of the number of people impacted in Alive Hospice’s substitute breach notice.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.