7,858 Patients’ PHI Potentially Exposed Due to Covenant Care Email Account Breach

Covenant Care in Aliso Viejo, CA, a network of residential care and skilled nursing facilities, found that an unauthorized person got access to the email account of an employee and potentially viewed or acquired the protected health information (PHI) of 7,858 patients.

Suspicious activity in the employee’s email account was noticed on January 29, 2019. Third-party forensics experts helped to investigate and concluded that the email account was compromised on January 22, 2019 and remained accessible until Covenant Care secured the account on January 29.

The investigators finished the analysis of the breached email account on February 13, 2019 and affirmed that for the period when the account was accessible, the unauthorized person could have opened emails and email attachments containing the following information: Full name, birth date, Social Security number, medical record number, diagnoses, medical insurance claim number, name of provider(s), location(s) of treatment, Medicare covered days, Medicare billing details, dates of admission and re-admission, dates of service, discharge dates, and data in connection with medical equipment, outpatient services, home health services and hospice services.

No evidence has been found to indicate the theft or misuse of any patient information. Nevertheless, as a precaution, Covenant Care notified patients affected by the breach and offered one year of credit monitoring and identity theft restoration services without charge. Notifications started to be sent on March 6, 2019.

Covenant Care reported that they have implemented strict security safeguards but additional controls will be applied to enhance email security. They are reviewing all technical, physical and administrative safeguards to determine any further areas that need security improvements. Employees will also undergo additional HIPAA training on email security and cyber security awareness.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/