Sacred Heart Rehabilitation Center in Memphis, MI provides substance abuse treatment and care services for HIV/AIDS patients. The center found out that an unauthorized person gained access to an employee’s email account after the employee responded to a phishing email.
The email-related breach happened from April 5 to April 7, 2018. It is uncertain when the rehabilitation center detected the phishing attack. But as per the findings of the breach investigators, the account contained certain protected health information (PHI) of patients. So, the people whose PHI was potentially compromised received breach notification letters on January 9, 2018.
The compromised account contained information such as patients’ names, Social Security numbers, home addresses, diagnoses, treatment data and health insurance details.
The center did not publicly disclose how many patients were affected by the breach at this point, but it did say that not all patients’ information were compromised. The Department of Health and Human Services’ Office for Civil Rights breach portal did not list this particular breach yet.
Sacred Heart Rehabilitation Center also offered all patients whose PHI was compromised free credit monitoring and identity theft protection services for one year. All patients were advised to keep track of their financial accounts and explanation of benefits statements and beware of hints of PHI misuse. Up to now, the rehab center has not received reports of PHI misuse.
To minimize the risk of other successful phishing attacks, extra security controls must be implemented and workers must undergo further security awareness training.
Healthcare organizations in Michigan did not have a great ending for the year 2018. Blue Cross Blue Shield of Michigan just reported two data breaches in December that affected over 16,000 people. Kent County Community Mental Health Authority also reported a phishing attack, which impacted 2,200 persons.