LifeSprk is making contact with 9,000 of its account holders to inform them that a a limited amount of their protected health information may have been illegally accessed or stolen due to a November 2019 phishing attack.
On January 17, 2020, the Minnesota-based senior care provider became aware that an unauthorized person had illegally accessed the email account of one of its staff members. The account was quickly secured and a third-party cybersecurity company was contracted to look into the breach. The cybersecurity company found a small number of staff email accounts were impacted from November 5 through November 7, 2019.
For most of the impacted people, compromised information included names, medical record numbers, health insurance information, and some health information. However some patients where also had financial information and/or their Social Security number breached. So far the investigation, which has not been completed as of yet, has not uncovered any proof of data theft or misuse of protected health information.
Contact with impacted clients was first attempted on March 17, 2020. There was a small delay in sending notifications because of “unprecedented actions taken in response to the Covid-19 (“Coronavirus”) pandemic.”
Those whose Social Security number was illegally obtained have been offered free credit monitoring and identity theft protection services. Lifesprk is now in the process of bolstering email security and will conduct additional training with its staff in relation to cybersecurity.
Separately, the University of Utah Health revealed last Friday that unauthorized individuals had obtained access to the email accounts of a small amount of employees between January 7 and February 21, 2020 and may have accessed patients’ protected health information. University of Utah Health became aware on February 3, 2020 that malware had been placed on an employee’s workstation which potentially gave unauthorized people access to patients’ protected health information.
The information held in the email accounts and on the impacted computer was restricted to names, birth dates, medical record numbers, and some clinical information linked to the care provided by University of Utah Health.
Impacted patients are now being informed, security processes are being reviewed and updated, and education will be bolstered with members of the workforce.
It is currently not known how many patients have been impacted by the data breach.