Confluence Health Discovers Phishing Attack Resulted in PHI Exposure

A data breach has been reported by Confluence Health, a non-profit health system managing Wenatchee Valley Hospital and Central Washington Hospital plus other satellite medical centers in Central and North Washington. The breach occurred as a result of an employee responding to a phishing email.

The data breach was detected on May 29, 2018 when suspicious email account activity was identified. A third-party computer forensics firm was called in to conduct a detailed investigation into the breach. That investigation revealed an unauthorized individual gained control of an employee’s email on May 28 and accessed the account the same day and again on May 30.

The compromised email account contained only a limited amount of protected health information. No financial data, Social Security numbers or highly sensitive information was exposed. The breach was limited to patient names and treatment information.

Prior to the phishing attack, Confluence Health had implemented layered security defenses and employees had undergone HIPAA compliance training to raise awareness of the threat from phishing. However, on this occasion, those measures were not sufficient to prevent a successful phishing attack.

Even though an unauthorized individual may have viewed PHI, the investigators didn’t uncover proof that the PHI was stolen and Confluence Health has not been notified about any potential misuse of PHI. Confluence Health has now notified all impacted patients about the breach. The breach has prompted the healthcare provider to implement further security controls which will detect suspicious email or network activity faster.

This latest phishing attack is one of many phishing breaches to be reported by healthcare providers in the past two months. Boys Town National Research Hospital, Terteling Co. Inc, Group Benefit Plan, Sunspire Health and Alive Hospice have also discovered email accounts have been compromised as a result of employees responding to phishing emails.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: