Covenant Care in Aliso Viejo, CA, a network of residential care and skilled nursing facilities, found that an unauthorized person got access to the email account of an employee and potentially viewed or acquired the protected health information (PHI) of 7,858 patients.
Suspicious activity in the employee’s email account was noticed on January 29, 2019. Third-party forensics experts helped to investigate and concluded that the email account was compromised on January 22, 2019 and remained accessible until Covenant Care secured the account on January 29.
The investigators finished the analysis of the breached email account on February 13, 2019 and affirmed that for the period when the account was accessible, the unauthorized person could have opened emails and email attachments containing the following information: Full name, birth date, Social Security number, medical record number, diagnoses, medical insurance claim number, name of provider(s), location(s) of treatment, Medicare covered days, Medicare billing details, dates of admission and re-admission, dates of service, discharge dates, and data in connection with medical equipment, outpatient services, home health services and hospice services.
No evidence has been found to indicate the theft or misuse of any patient information. Nevertheless, as a precaution, Covenant Care notified patients affected by the breach and offered one year of credit monitoring and identity theft restoration services without charge. Notifications started to be sent on March 6, 2019.
Covenant Care reported that they have implemented strict security safeguards but additional controls will be applied to enhance email security. They are reviewing all technical, physical and administrative safeguards to determine any further areas that need security improvements. Employees will also undergo additional training on email security and cyber security awareness.