Meharry Medical College & MEDNAX Services Email Account Breaches Reported

Meharry Medical College located in Nashville, TN, has revealed that an email account breach may have lead to in the illegal access of the protected health information of up to 20,963 patients.

The email account breach was  first discovered around July 28, 2020 and was promptly mitigated. External technical experts were brought in to review the breach and discovered that the incident was kept to a single email account. On September 1, 2020, Meharry Medical College was made aware that the nature of the breach meant it was possible that the contents of the email account may have been duplicated, most likely inadvertently during the standard email synchronization task.

An investigation into the incident was completed and it was found that the email account contained patients’ full names, dates of birth, diagnoses/diagnostic codes, internal patient account numbers, provider identities, and other health data. A small amount number of patients also had their Social Security numbers, Medicare/Medicaid numbers, and health insurance information impacted.

Individuals whose Social Security number was possibly impacted have been offered free membership to identity theft protection services.

Meanwhile, Sunrise, FL-based MEDNAX Services Inc, a supplier of revenue cycle management and other administrative services to its affiliated physician practice groups, found out on June 19, 2020 that unauthorized people had obtained access to its Microsoft Office 365-hosted email system after employees responded to phishing messages.

Forensic firm,MEDNAX helped to see that multiple business email accounts had been impacted between June 17, 2020 and June 22, 2020. A review of the accounts, which were kept apart from MEDNAX’s internal network and systems, revealed they included patient names, guarantor names, email addresses, addresses, dates of birth, Social Security numbers, driver’s license numbers, state ID numbers, financial account information, health insurance data, Medicare/Medicaid numbers, medical and treatment data, and billing and claims information. It was not possible to discover what patient information, if any, was accessed by unauthorized people.

Impacted people have been offered a free one-year membership to identity monitoring services. MEDNAX has completed a thorough review of its security controls and steps will be taken to enhance security to prevent similar breaches going forward.

Author: Maria Perez