Billings Clinic Employee’s Email Account Hacked Exposing 8,400 Patients’ PHI

The protected health information (PHI) of 8,400 patients contained in the email account of an employee of Billings Clinic in Billings, MT was compromised. The clinic’s cybersecurity systems detected some unusual activities on May 14, 2018 which suggested unauthorized access. Immediately, the email account was secured but it may have been possible that an unauthorized person already viewed or copied the PHI of patients.

There was limited information in the account. Financial information and Social Security numbers were not included and therefore not exposed. The information contained in the account was used for patient appointments and scheduling of medical services from 2008 to 2011.

The compromised information in the account included names, birth dates, contact details, description of medical services, diagnoses, internal financial control numbers and medical record numbers. According to the investigation, only one email account was compromised.

Many data breaches such as this occur when employees fall for phishing scams, but this particular case the breach is believed to have occurred for another reason and happened when the employee was travelling overseas on a medical mission. While away, the unauthorized person obtained the employee’s email credentials, most likely, when the employee connected to unsecured public Wi-Fi network or rogue Wi-Fi hotspot.

Healthcare organizations should make sure that employees know the risks involved with connecting to public Wi-Fi networks. This is especially important if employees are allowed to take PHI with them on portable devices or if they access PHI remotely. Employees should only connect to the internet through a virtual private network. VPN software must be up-to-date and a web-filtering solution is recommended when not accessing the account on the corporate network.