Email Security Breaches at Relation Insurance & Rainbow Hospice Care

Relational Insurance Inc., an insurance brokerage company operating as Relation Insurance Services of Georgia (RISG), suffered an email security breach in August 2019. An unauthorized person was discovered to have obtained access to the email account of an employee and possibly accessed or copied emails that included protected health information (PHI).

The breach was discovered on August 15, 2019 when suspicious activity was noticed in the email account. A third-party computer forensics company helped with the investigation and determined the account was accessed by an unauthorized person between August 14 and August 15.

On August 16, 2019, RISG discovered that the account held PHI; however, it was not until December 13, 2019 that a total review of the account was completed to determine which individuals had been affected and exactly what information was potentially exfiltrated.

It was discovered that the account held a wide range of information, which differed from person to person. The breached PHI may have incorporated: Name, address, telephone number, email address, date of birth, driver’s license number, Social Security number, passport number, state issued identification number, copies of marriage or birth certificates, account and routing number, financial institution name, credit/debit card number, PIN, expiration date, treatment information, prescription information, provider name, medical record number, patient ID, health insurance information, treatment cost, medical history, mental or physical condition, diagnosis code, procedure type, procedure code, treatment location, admission date, discharge date, medical device number, and time of death.

Measures have been implemented to enhance email security and prevent similar breaches going forward. The breach report filed with the HHS’ Office for Civil Rights indicates the PHI of up to 4,335 individuals was potentially impacted.

Meanwhile, Jefferson, WI-based, Rainbow Hospice Care, Inc. has revealed that an employee’s email account has been accessed by an unauthorized person and the protected health information of 2,029 current and former patents may have been viewed or stolen.

Third-party forensic experts were hired to look into the the breach. While they confirmed that the account had been accessed by an unauthorized person, but they were unable to determine whether any patient information was accessed or downloaded.  A review of the compromised account revealed it contained patient names, dates of birth, treatment information, medical record numbers, and Social Security information.

Patients have been informed about the breach and have been offered free credit monitoring services through Experian. Rainbow Hospice Care is unaware of any cases of improper use of patient information and detailed in its substitute breach notice that it believes misuse of patient information is unlikely.

Author: Maria Perez