PHI of Sacred Heart Rehabilitation Center Patients Exposed Due to Phishing Attack

Sacred Heart Rehabilitation Center in Memphis, MI, provides substance abuse treatment and care services for HIV/AIDS patients. The center found out that an unauthorized person gained access to an employee’s email account after the employee responded to a phishing email.

The email-related breach occurred from April 5 to April 7, 2018. It is not clear when the rehabilitation center detected the phishing attack, but when a breach was identified, rapid action was taken to block access to the compromised accounts and a breach investigation was launched. But as per the findings of the breach investigators, the compromised account contained the protected health information (PHI) of certain patients. The compromised account contained information such as patients’ names, Social Security numbers, home addresses, diagnoses, treatment data and health insurance details. Breach notifications were sent to affected individuals on January 9, 2018.

The center has not publicly disclosed how many patients were affected by the breach at the time of writing, although the rehabilitation center mentioned in its breach notice that not all patients’ information had been compromised.

Sacred Heart Rehabilitation Center has offered all patients whose PHI was compromised free credit monitoring and identity theft protection services for one year. All patients were advised to keep an eye on their financial accounts and explanation of benefits statements and should look for signs of PHI misuse. Up to now, the rehab center has not received any reports of PHI misuse.

To minimize the risk of successful phishing attacks, extra security controls have been implemented and workers are being provided with further security awareness training.

Healthcare organizations in Michigan did not have a great end to 2018. Blue Cross Blue Shield of Michigan reported two data breaches in December that affected over 16,000 people and Kent County Community Mental Health Authority also reported a phishing attack, which impacted 2,200 patients.