San Diego, CA-based Ron’s Pharmacy Services has found that an employee’s email account containing limited protected health information has been logged onto by an unknown individual.
Unusual activity was noticed on the employee’s email account during October 3, 2017 resulting in an investigation; however, it was not until December 21, 2017 that it was revealed that an unauthorized individual had obtained messages in the email account that had patient information attached.
An audit of the employee’s email account showed only a minimal amount of PHI was compromised: Names, internal account numbers, and payment adjustment information, while a small amount of patients also had information regarding their prescription medications accessed. While PHI access was uncovered, Ron’s Pharmacy has not been made aware of any misuse of patient information. Ron’s Pharmacy has now warned patients about the breach and reported the incident to the proper authorities.
In its substitute breach notice filed on February 2 2018, Ron’s Pharmacy explained that swift action was taken to secure the email account and prevent further access. Login credentials were amended, and an external computer forensics consultants firm was hired to conduct a thorough investigation to determine the nature of the attack, its scope, and how access to the account was managed.
Staff have received further education and policies and procedures have been updated to strengthen defenses against future cyberattacks like this.
The breach report sent to the Department of Health and Human Services’ Office for Civil Rights states that 6,781 individuals were impacted by the HIPAA breach.