A provider of end-of-life care, palliative care, bereavement support and community education based in Alive Hospice in Nashville, Tennessee has revealed that the email account of a staff member was infiltrated during May 2019.
On May 6, 2019, suspicious activity was noticed in a staff member’s account. The password for the account was quickly amended and an investigation was launched into the cause of the violation.
The investigation showed that the email account was compromised on May 4, 2019 and hackers had complete access to the email account for another two days. Only one email account was compromised. Unauthorized account access was confirmed, but no proof was uncovered to indicate any patient information was accessed or stolen.
The range of information in emails and email attachments was different from patient to patient and may have included the following sort of PHI in addition to a patient’s name: Date of birth, Social Security number, driver’s license info, financial account details, medical history, treatment data, prescription information, treating or referring physician information, medical record number, health insurance information, Medicare or Medicaid number, username/email and password information.
Alive Hospice has carried out a review of its security measures and will be configuring more safeguards to help prevent additional attacks. Affected individuals have been offered complimentary credit monitoring and identity theft security services.
The incident has been made known and submitted to the Department of Health and Human Services’ Office for Civil Rights but the incident has yet to be published on the OCR breach portal, so it is currently unclear how many individuals have had their PHI compromised.
Phishing Attack on Californian Medical Staffing Agency
The California-based medical staffing agency Flexcare LLC has revealed it has been impacted by a phishing attack.
The email account of one just staff member was compromised for a short while due to a result of a response to a phishing email. The agency’s email security system noticed strange activity in the account shortly after the phishing email was received and the account was automatically disabled.
Computer forensic professionals were hired to help analyze the breach and determine whether the hacker obtained access to the employee’s email account and whether any PHI had been viewed or downloaded.
Despite the swift disabling of the account, the investigation showed that the account had been subjected to illegal access. While no evidence of data access or data theft were located, the forensics investigators concluded that during the time that access could have taken place, patients’ PHI may have been viewed or duplicated.
A thorough review of emails in the compromised account revealed affected patients had their name exposed in addition to more of the following types of PHI: Address, date of birth, driver’s license number, Social Security data, medical information such as vaccination history, drug test results, and annual health questionnaire replies.
Flexcare will be giving staff members more training on email and network security and multi-factor authentication is being configured on their databases. Impacted persons have been offered 12-month free membership to CyberScout credit monitoring and identity theft protection software.