Healthcare Resource Group & Confido have PHI Exposed in Phishing Attacks

The pharmacy benefits consulting group Confido has begun alerting 3,600 of its clients’ employees, members, and their dependents, that a portion of their personal information may have been accessed by an unauthorized person who obtained access to an employee’s email account.The email account breach was discovered on December 12, 2020 and an investigation was initiated to determine the scale and extent of the breach. With the help of a third-party security firm, Confido determined on January 17, 2020 that an unauthorized person had access to the email account for a period of two weeks between November 29, 2019 and December 12, 2019. It was not possible to determine if information in the email account was downloaded, but the possibility could not be eliminated.

An in -depth review of the email account showed it included names, dates of birth, health insurance information, Social Security numbers, prescription details, treatment information, and clinical data like diagnoses and provider identities.

Individuals impacted by the breach were made aware on February 10, 2020. Complimentary credit monitoring services have been offered to individuals whose Social Security number was exposed.

The breach lead Confido conducting additional security awareness training to its employees and additional procedures have been introduced to strengthen email security.

Meanwhile Healthcare Resource Group, a supplier of billing services to Barlow Respiratory Hospital in Los Angeles, CA, discovered that an employee’s email account was hacked by an unauthorized individual. An investigation was carried out which showed that the email account was accessed between November 4, 2019 and November 30, 2019.

A review of the email account showed emails and attachments contained a limited amount of protected health information of current and previous Barlow Respiratory Hospital patients.

A third-party company was hired to review the account to determine what range of information had been compromised. The review was finished on February 27, 2020 and showed patient names had been exposed along with one or more of the following data elements: Date of birth, Social Security information, driver’s license number, medical record number, patient account number, health insurance data, treatment specifics, and medical billing or claims details.

Healthcare Resource Group issued notifications to impacted clients on behalf of Barlow Respiratory Hospital on April 7, 2020. One year’s subscription to credit monitoring and identity theft restoration services has been offered to impacted patients.

Author: Maria Perez