The PHI has of patients of Forrest Health’s Forrest General Hospital has potentially been obtained by a third party after access was gained to the email account of one of the employees of a business associate, Horne LLP.
HORNE LLP is a provider of certain Medicare reimbursement procedures to Forrest General Hospital and due to this needs requires access to patients’ private health information.
HORNE found email account breach on November 1, 2017 when it saw that the email account of a worker was sending phishing emails. This resulted in the shut down of the email account and an investigation in into a possible HIPAA breach was started. That uncovered that an unauthorized person or group had gained access to the employee’s email account the previous day after the worker responded to a phishing email.
The phishing attack was reviewed by an external third-party investigator to determine the nature and extent of the damage and whether the PHI of any patients had been compromised. The review exposed that the damage was kept to a solitary email account. An overview of the emails in the account indicated that some Forrest General Hospital patients’ PHI could have been accessed.
The breach notice obtained by official website databreaches.net, “certain emails within the employee’s email account were subject to unauthorized access.” On November 27, HORNE ruled that some of those emails had PHI – including attachments.
Thought emails may have been opened and the attachments accessed by the attacker, no details was uncovered to suggest that was what happened. However, they were also not in a position to rule out data theft.
Consequently, in line with HIPAA Rules, patients are being contacted regarding the breach. HORNE commented in its breach notice that the letters are being issued beginning February 1, 2018, when the email account breach was first detected on November 1 and PHI was confirmed to have been accessed on November 27.
The breach notices are being issued by HORNE on behalf of Forrest General Hospital. All patients attacked have had complimentary credit monitoring and identity theft restoration services made available to them through Experian for the next year as a precaution.
HORNE is establishing additional safeguards measures to strengthen the security of its networks and better protect the privacy of any patients whose PHI has been saved in the organization’s networks.