Norwood, MA-based Reliable Respiratory has discovered a hacker has gained access to the email account of one of its employees, and through that account, potentially accessed the protected health information of some of its patients.
The respiratory care provider was alerted to a possible email account breach on July 3 when suspicious activity was detected in the email account. An investigation was immediately launched which confirmed that the employee had responded to a phishing email and had disclosed login credentials to the attacker.
Third party security consultants were called in to investigate the phishing attack and to determine the extent of the breach. The company confirmed that the account had been compromised between June 28 and July 2, potentially giving the attacker five days to plunder the account.
Every email in the account was checked to determine whether sensitive information had potentially been accessed. While it was not possible to say whether the information in the account had been viewed or copied, the possibility could not be ruled out.
The types of information exposed differed per individual but may have included name, medical diagnoses, treatment information, medication/prescription information, medical record number, health insurance information, bank or financial account information, driver’s license or state identification number, Social Security number, claims/billing information, date of birth, credit or debit card information, username and password, and passport number.
Reliable Respiratory has implemented security controls to prevent phishing and other cyberattacks, but in this case those controls were bypassed by the attacker. Reliable Respiratory has already taken steps to improve security and is reviewing and updating its policies and procedures to prevent further attacks.
The firm is currently notifying affected patients and has provided further information on how they can reduce the risk of misuse of their data.
The breach has been reported to state regulators and the Department of Health and Human Services’ Office for Civil Rights. At the time of writing, the number of patients impacted by the incident has not been disclosed publicly.