Data Breaches at Valley Professionals Community Health Center and Sunflower State Health Plan Impact 13,625 Patients

Valley Professionals Community Health Center in Indiana has experienced a phishing attack that has resulted in an employee’s email account being accessed by an unauthorized person.

The attacker impersonated an employee in a healthcare organization who has worked with Valley Professionals Community Health Center in the past. The email recipient thought the email was genuine and responded and was fooled into divulging login credentials to the email account.

Valley Professionals Community Health Center noticed suspicious email activity on November 27, 2018. The account was secured and the breach was investigated. A third-party computer forensics firm provided assistance and confirmed that the email account was accessed by an unauthorized individual from October 26 to November 27, 2018.

The email messages in the account contained the protected health information (PHI) of patients, including names, addresses, birth dates, medical record numbers, patient ID numbers, diagnoses, procedure data, treatment data, payment information, provider details and Social Security numbers. The bank account number, routing details, and/or health insurance data of some patients were also exposed.

Because it wasn’t possible to determine which email messages in the account were accessed by the attacker, Valley Professionals Community Health Center decided to issue breach notification letters to all persons whose PHI was included in the account. About 12,000 patients received notification letters and have been offered free credit monitoring services.

Valley Professionals Community Health Center has now implemented further technical measures to protect against phishing attacks. Employees have also received additional security training and education.

Impermissible PHI Disclosure at Sunflower State Health Plan

Sunflower State Health Plan in Kansas has reported a data breach affecting 1,625 plan members, whose PHI was impermissibly disclosed. Sunflower Health Plan sent ID cards and welcome packs by mail to 1,625 plan members on November 26, 2018; but an error with the mailing resulted in the letters being sent to incorrect recipients. Plan members’ full names and Medicaid ID numbers were detailed on the cards and in the welcome packs.

Sunflower Health Plan became aware of the error on December 3, 2018 and sent replacement ID cards and welcome packs to all 1,625 members. Sunflower Health Plan has altered its mailing procedures to help prevent further mailing errors.