Security Breaches Reported by DePaul and Southern Hills Eye Care

DePaul is informing a number of its behavioral health program patients about the exposure of their protected health information (PHI) due to a phishing attack. DePaul provides assisted living facilities and healthcare services in New York, North Carolina and South Carolina.

DePaul discovered the breach on February 1, 2019 and promptly secured the compromised email account. According to the breach investigators, only one email account was compromised but it contained 41,000 emails.

Most of the emails in the account did not include healthcare or psychiatric data; but some information was exposed, including first and last names, birth dates, and/or Social Security numbers. No proof of data access or theft was found, although the possibility could not be ruled out. The account was used to send further phishing emails and it is not believed that the attacker viewed or copied patient data. DePaul has offered free credit monitoring services for 12 months to all affected individuals whose Social Security number was exposed.

DePaul staff will undergo additional training to help them identify phishing emails and email security defenses will be strengthened.

The HHS’ Office for Civil Rights has not yet posted the breach notice on its breach portal so it is currently uncertain how many people have been impacted by the breach.

Southern Hills Eye Care Breach Announced

Southern Hills Eye Care located in Sioux City, IA had a ransomware attack that potentially resulted to the exposure of the PHI of certain patients.

The ransomware attack happened on January 15, 2019 and affected a server at the eye care provider’s Sioux City office. It was confirmed by the forensic investigators that an unauthorized person accessed  the server and potentially viewed files which contain the PHI of patients. The following types of data were included in the files: Names, addresses, birth dates, telephone numbers, health data, health insurance details, and some Medicare patients’ Social Security numbers.

Although it was possible that data was accessed, no evidence was found to suggest unauthorized persons accessed patient data. Southern Hills Eye Care has already implemented extra security controls to avoid similar breaches in the future.

OCR has not published the incident yet on its breach portal. The exact number of patients affected by the breach is uncertain at this time.