Monthly breach reports show that email is the most common location of breached protected health information. Email accounts can contain a treasure trove of data and can be used for further phishing attacks and other attacks on a targeted organization.
In the past few weeks, four healthcare providers have announced they have suffered major phishing attacks that have resulted in the exposure and possible theft of many thousands of patients’ protected health information. Between these four attacks, the protected health information (PHI) of more than 170,000 patients has been exposed.
Meridian Health Services Corp Notifies 111,372 Patients About Phishing Incident
The Muncie, IN-based healthcare provider, Meridian Health Services Corporation, has started notifying 111,372 patients that some of their PHI was stored in email accounts that were accessed by unauthorized individuals between December 9, 2019 and December 11, 2019.
Upon discovery of the breach, a password resent was performed to ensure no further unauthorized access was possible and a leading computer forensic firm was engaged to investigate the breach. The investigation confirmed on February 27, 2020 that the compromised accounts contained PHI such as names, dates of birth, state ID numbers, driver’s license numbers, payment card information, limited medical information, and Social Security numbers.
Affected individuals have been offered complimentary membership to Experian IdentityWorks credit monitoring and identity theft protection services.
Saint Francis Healthcare Partners Phishing Attack Impacts 38,529 Patients
The Hartford, CT-based healthcare provider, Saint Francis Healthcare Partners, has announced it suffered an email security breach on December 30, 2019. An unauthorized individual gained access to the email system and potentially viewed and downloaded emails that contained the PHI of 38,529 patients.
The investigation revealed on March 20, 2020 that the emails and attachments in the compromised accounts contained PHI including patients’ names, medical histories, clinical information, medical record numbers, dates of service, diagnoses, provider names, health insurance provider name, patient account numbers, treatment information, prescription information and/or procedure types. No evidence was found to suggest PHI was accessed or copied by the attackers, but data theft could not be ruled out.
Mille Lacs Health System Suffers 10,630-Record Phishing Breach
On May 11, 2020, Mille Lacs Health System in Minnesota announced it was the victim of a phishing attack. Emails had been sent to some of its employees soliciting their login information, which allowed the attackers to access their email accounts.
The breach was detected on November 14, 2019 and the investigation confirmed that the accounts were accessed between August 26, 2019 and January 7, 2020. The investigation into the breach was concluded on April 22, 2020 and confirmed that the email accounts contained the PHI of 10,630 patients. The types of data exposed varied from patient to patient and may have included first and last names, addresses, dates of birth, provider names, dates of service, clinical information, treatment information, procedure types, and Social Security numbers.
No evidence of data access or data theft was found, but unauthorized PHI access could not be ruled out. Complementary credit monitoring services have been offered to affected patients.
PHI of 10,190 Patients Exposed in District Medical Group Phishing Attack
The Arizona-based integrated medical group, District Medical Group, discovered on March 20, 2020 that it was targeted in a phishing attack in which the email accounts of several employees were accessed by unauthorized individuals.
The investigated revealed the email accounts were compromised between February 4, 2020 and February 10, 2020 and emails and attachments in the accounts contained the PHI of 10,190 patients, including patient names, medical record numbers, medical information, and health insurance information, along with a limited number of Social Security numbers.
No evidence of unauthorized PHI access or PHI theft was found during the breach investigation. Complimentary credit monitoring and identity theft protection services have been offered to patients whose Social Security number was potentially compromised.