Business Associate Phishing Attack Impacts PHI of 17,531 Patients

Women’s Health USA Inc., an Avon, CT-based business associate that supplies a range of practice management services to healthcare groups, has suffered a phishing attack that has lead to the exposure of patients’ protected health data.

A review was initiated following the discovery of suspicious activity within specific employee email accounts. The targeted email accounts were safeguarded, and a leading cybersecurity firm was engaged to help with the investigation and determine the nature and manner of the breach.

The investigation showed that the email accounts of two staff members had been accessed by unauthorized people due to the employees responding to phishing emails and disclosing their email credentials. The first email account breach was encountered on April 5, 2018 and the second account was targeted on August 13, 2018.

A review of the emails and email attachments in the account showed they contained a small amount of protected health information. The exposed data was different patient to patient but may have included name, date of birth, Medicare Health Insurance Claim Number (HICN), health insurance policy number, diagnosis information, treatment information, and Social Security information.

Women’s Health USA got in touch with all impacted healthcare provider clients about the breach on March 15, 2019 and started sending breach notification letters to all impacted patients on March 29, 2019.

All staff members have been given additional training to help them discover phishing emails and to enhance awareness of other cybersecurity worries. Extra security measures have also been implemented to boost email security.

The phishing campaign and data breach has been made known to the Department of Health and Human Services’ Office for Civil Rights. The breach summary states that 17,531 clients were targeted in the breach.

Author: Maria Perez