MedSpring Urgent Care, a network of emergency care clinics located in Austin, Atlanta, Chicago, Houston, Fort Worth, and Dallas, has discovered an unauthorized person obtained access to an email account as a result of an employee being tricked by a phishing email.
The email account was accessed on May 8, 2018; however, MedSpring Urgent Care did not detect the security breach until May 17. After discovering the breach, the email account was secured to prevent further access and misuse of the account. A leading cybersecurity forensics company was also hired to carry out an investigation of the breach and assist with mitigation.
MedSpring found out on May 22, 2018 that the threat actor possibly gained access of the protected health information (PHI) of patients via emails and file attachments. The breach was restricted to a single employee’s email account. Other systems were not affected.
The investigators conducted a full assessment of all emails in the account to ascertain which patients were affected and what types of information were potentially disclosed. MedSpring states the breach was limited to patients who visited its urgent care facilities in Illinois.
The email account included information such as names, patient record numbers, account numbers, dates of services, and other details associated with the medical services provided to patients. The investigation did not uncover any evidence to indicate that emails in the account were viewed and MedSpring has not been informed of any instances of improper use of patient information to date.
All patients affected by the phishing attack have been notified via mail and offered a year of free credit monitoring, identity protection and fraud resolution services through Experian.
MedSpring has notified the Department of Health and Human Services’ Office for Civil Rights about the breach. The report indicates 13,034 patients have been affected.