UNC Health and Nebraska DHHS Report Phishing Attacks

The Nebraska Department of Health and Human Services has announced a security incident involving the protected health information of clients of Aging Partners, a department of the City of Lincoln.

The breach was discovered by the Lincoln Information Services Department on May 25, 2021. Employees had responded to phishing emails and disclosed credentials to their email accounts, which contained more than 46,000 emails. Assisted by a computer forensics company, it was determined that the email account was accessed by an unauthorized individual between May 18 and May 21.

A review of the emails in the account confirmed some contained patient information such as names, addresses, dates of birth, phone numbers, Social Security numbers, dates of service, type/amount of service, and some health information such as diagnoses, care assessments, and medication lists. Emails also contained bank account numbers or other financial information of a limited number of individuals. 6,600 of the emails included the PHI of Aging Partners’ clients, although only 1,513 individuals have been affected. For the majority of affected individuals, only names were included in the email accounts.

All affected individuals are now being notified and credit monitoring and identity theft protection services are being offered to individuals whose financial information was present in the compromised email accounts.

UNC Health Reports Phishing Attack

UNC Health has announced that an email account containing the protected health information of patients of University of North Carolina at Chapel Hill School of Medicine (SOM) and the University of North Carolina Hospitals (UNC Hospitals) has been accessed by an unauthorized individual.

On May 20, 2021, UNC Health discovered the email account of a SOM faculty member had been compromised. That individual provided clinical services at UNC Hospitals. The email account was immediately secured, and an investigation was launched to determine the extent of the breach. Assisted by a third-party cybersecurity firm, UNC Health determined that the email account breach was isolated to April 20, 2021 and no other email accounts or systems were involved.

A review of the account revealed the following types of information could potentially have been compromised: Patients’ names, dates of birth, diagnosis and treatment information, and/or information about a research study patients may have been involved in or have been eligible for at UNC Hospitals/SOM. The breach has been reported to the HHS’ Office for Civil Rights as affecting 10,832 patients. UNC Health said the email account contained the health insurance information of fewer than 30 patients and the Social Security numbers of fewer than 10 patients. There have been no reported cases of misuse of patient data.

Additional email security measures are being implemented and employees are being provided with further training to help them identify phishing emails.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.