Onco360 and CareMed Specialty Pharmacy notified 53,173 patients that their protected health information was potentially compromised. It is believed that the security breach happened on November 14, 2017 because of the detected suspicious activity related to an employee’s email account.
Third-party computer forensics experts investigated the incident to find out the nature and scope of the data breach. The released a report on November 30 mentioning the involvement of three email accounts in the breach. The email accounts contained some messages that contained the PHI of patients. The hacker could have viewed or stolen the sensitive information.
The potentially compromised PHI include the patients’ names, Social Security numbers, demographic details, clinical information, prescribed medications provided by the pharmacy and health insurance details. The financial information of some patients may have been exposed, too.
There were no reports received that indicate misuse of any PHI. Even so, patients were advised to be careful and check their billing statements, credit reports and Explanation of Benefit statements for any possible sign of fraud. Patients were offered one year free credit monitoring and identity theft protection services through ID Experts.
Employees responding to phishing emails seem to be the reason why the security breach occurred. As a response, the covered-entity gave all staff further HIPAA training to teach them how to identify malicious emails. Better email security controls were implemented to stop future phishing attacks.