Primary Health Care Experiences Multiple Email Hacks

A non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA, Primary Health Care Inc. has reported that hackers gained access to the email accounts of four workers and may have viewed or downloaded patients’ PHI.

A press release issued by Primary Health Care and published a substitute breach notice to its website on March 16, 2018 outlining that the breach occurred on February 28, 2017. The breach was found on March 1, 2017. Primary Health Care is currently  notifying affected patients and will be filing an incident report to the Department of Health and Human Services’ Office for Civil Rights. No explanation was included as to why the breach took a full year to report, although the manner in which the breach was made public implies that the year stated in the official breach notice may be a typo and that the breach occurred in 2018.

Primary Health Care moved swiftly to deal with the breach and turned off access to the compromised email accounts and hired a third-party computer forensics expert to conduct a review into the hacking attack. The investigation revealed four email accounts and their associated Google Drives were accessed by the hacker(s), although they did not know whether any emails were opened and if any protected health information was accessed.

An analysis of the staff email accounts revealed they contained data such as patients’ names along with driver’s license numbers, Social Security specifics, diagnoses, medication information, medical histories, health insurance information, facilities and providers, financial details, credit/debit card numbers, times of service, and in some cases, Medicaid numbers.

Nothing was found to suggest any information has been misused for ill means, although out of an abundance of caution, affected persons have been offered 12 months of identity theft protection services from AllClear without charge.

Primary Health Care is currently putting in place extra security measures to enhance the privacy and security of its information systems to stamp out further breaches of this fashion.

Author: Maria Perez