Billings Clinic Employee’s Email Account Hacked Exposing 8,400 Patients’ PHI

The protected health information (PHI) of 8,400 patients contained in the email account of an employee of Billings Clinic in Billings, MT was compromised. The clinic’s cybersecurity systems detected some unusual activities on May 14, 2018 which suggested unauthorized access. Immediately, the email account was secured but it may have been possible that an unauthorized person already viewed or copied the PHI of patients.

There was limited information in the account. Financial information and Social Security numbers were not included and therefore not exposed. The information contained in the account was used for patient appointments and scheduling of medical services from 2008 to 2011.

The compromised information in the account included names, birth dates, contact details, description of medical services, diagnoses, internal financial control numbers and medical record numbers. According to the investigation, only one email account was compromised.

Many data breaches such as this occur when employees fall for phishing scams, but this particular case the breach is believed to have occurred for another reason and happened when the employee was travelling overseas on a medical mission. While away, the unauthorized person obtained the employee’s email credentials, most likely, when the employee connected to unsecured public Wi-Fi network or rogue Wi-Fi hotspot.

Healthcare organizations should make sure that employees know the risks involved with connecting to public Wi-Fi networks. This is especially important if employees are allowed to take PHI with them on portable devices or if they access PHI remotely. Employees should only connect to the internet through a virtual private network. VPN software must be up-to-date and a web-filtering solution is recommended when not accessing the account on the corporate network.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: