PHI of 14,305 Patients Exposed Due to a Phishing Attack on Main Line Endoscopy Centers

Main Line Endoscopy Centers, a network of outpatient endoscopy clinics in the Malvern, Media and Bala Cynwyd regions of Pennsylvania, recently encountered a phishing attack. An unauthorized person was able to access one employee’s email account because the employee made the mistake of responding to a phishing email. It is not known when the breach exactly happened but it was discovered on January 30, 2019.

A leading computer forensics firm helped investigate the breach primarily to find out whether the unauthorized person accessed any email messages in the account and whether there was a compromise of any protected health information (PHI). The investigators confirmed that it is possible the attackers accessed some patients’ PHI, such as, their names, dates of birth, and some clinical information. Some patients may have had their health insurance details, driver’s license numbers and Social Security numbers compromised.

Main Line sent notification letters about the breach to all affected patients on March 29, 2019. Only those who had their Social Security numbers or driver’s license numbers compromised have been offered complimentary identity theft protection services.

All patients affected by the breach have been advised to monitor their explanation of benefits statements, financial accounts and credit reports for possible fraudulent transactions.

All Main Line employees underwent additional training on email security and phishing attacks to improve resilience to future attacks. Main Line Endoscopy Centers has also now employed multi-factor authentication to prevent unauthorized account access in the event that employee login credentials are compromised in the future.

Main Line has submitted its breach report to the Department of Health and Human Services’ Office for Civil Rights and the incident has been posted on OCR’s web portal, which shows 14,305 patients have been affected.