Washington University School of Medicine Breach Impacts 14,795 Oncology Patients

Washington University School of Medicine is notifying 14,795 oncology patients that some of their protected health information was stored in an email account that was breached in January 2020.

An unauthorized individual gained access to the email account of a research supervisor in the Division of Oncology between January 12, 2020 and January 13, 2020 as a result of a response to a phishing email. Upon discovery of the breach, immediate action was taken to secure the account and prevent further unauthorized access and a third-party computer forensics firm was engaged to assist with the investigation.

A painstaking review of emails and email attachments in the account revealed they contained the following patient information: Names, dates of birth, medical record numbers, patient account numbers, limited treatment and/or clinical information, including diagnoses, provider names, and lab test results. Certain patients also had their health insurance information and/or Social Security numbers exposed.

Affected individuals are now being notified about the breach and individuals whose Social Security numbers were potentially compromised have been offered complimentary membership to credit monitoring and identity protection services.

Washington University School of Medicine has taken steps to improve email security and has reinforced education with its employees to help them identify suspicious emails.

Phishing Attack Reported by Doctors Community Medical Center

Doctors Community Medical Center in Maryland is alerting certain patients to a breach of their protected health information.

The data breach was identified in January 2020 when suspicious activity was detected in its payroll system. An investigation into the breach revealed a small number of employees had been duped by phishing emails and had disclosed their account credentials to the attackers. In addition to gaining access to the employees’ email accounts, the attackers also had access to the employees’ payroll information.

The investigation confirmed that the first accounts were breached on November 6, 2019, with access possible until January 30, 2020. Around February 13, 2020, Doctors Community Medical Center determined that some of the compromised email accounts contained data sheets that included patient information.

A forensic investigation conducted by third-party investigators was unable to confirm if patient data had been accessed, copied, or disclosed, although no reports have been received to suggest patient information has been misused. Since unauthorized data access could not be ruled out, patients have been notified and offered complimentary credit monitoring and identity restoration services.

The types of information that were potentially compromised included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, military identification numbers, financial account information, diagnoses, treatment information, prescription information, provider names, medical record numbers, patient IDs, Medicare/Medicaid numbers, health insurance information, treatment cost information, and access credentials.

The health system is reviewing and updating its policies and procedures and additional safeguards will be implemented to prevent further attacks.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.