Email-Related Breaches Reported by Hopebridge and United Methodist Homes

Hopebridge, a healthcare organization that operates a network of 28 autism treatment centers across the Midwest, has discovered a threat actor has gained access to its email system as a result of employees responding to phishing emails. The compromised email accounts contained a range of protected health information of its patients.

Hopebridge discovered the data breach on July 19, 2018 and after securing its email system, hired a third-party computer forensics firm to look into the nature and extent of the data breach.

The investigation revealed several employees had responded to phishing emails between March until July 2018. By responding to requests in the messages, employees disclosed their email login credentials allowing their accounts to be remotely accessed by the attacker.

The types of information exposed through the accounts include names, the healthcare services they received, and their autism diagnosis. While PHI was potentially accessed, the investigation suggested the attacker was only interested in gaining access to employee’s financial information.

Hopebridge notified the Department of Health and Human Services’ Office for Civil Rights about the breach specifying that the phishing attack possibly affected 1,411 patients. At this point, no reports have been received to suggest the attacker accessed and misused patients’ data. Hopebridge has now put in place tougher access controls, which include the use of 2-factor authentication on all email accounts and IP address whitelisting. AS an additional measure to protect the privacy of patients, patient names are redacted in internal emails and health reports sent via email.

United Methodist Homes, a New York-based network of assisted living facilities for seniors, also recently reported it suffered an email-related data breach. A former staff member stole the protected health information of 843 former and current residents in its Elizabeth Church and Hilltop campuses.

The data of residents were stored in a spreadsheet that was sent to the employee’s personal email account. The spreadsheet listed the names, addresses, and phone numbers of the residents’ contact person(s) and their relationship with their respective patients. No financial data, medical information, Social Security numbers, health insurance details or other highly sensitive information were compromised.

United Methodist Homes found out about the incident on July 13, 2018 and confronted the employee. As a result of the incident, the decision was taken to terminate the employee. The residents affected by the breach have been offered credit monitoring services for 12 months without charge as a precaution against identity theft and fraud.