Phishing Attack on Alive Hospice Compromised Patients’ PHI

Alive Hospice in Tennessee has discovered the email accounts of two employees were compromised after the employees were victimized in phishing attacks. While reviewing the email system of Alive Hospice on May 15, 2018, it was noticed that there was ongoing unauthorized accessing of the email accounts. Immediately after identifying the breach, third-party access to the accounts was blocked by performing a password reset. Investigators from a third-party forensics firm were called in to investigate the breach and determine how it occurred and whether access to PHI occurred.

The results of the investigation showed that the first email was breached on December 20, 2017. The second email was breached on April 5, 2018. Both email accounts were found to contain patients’ protected health information (PHI). It’s possible that the hacker accessed or copied PHI.

The patient information that was potentially compromised varied from person to person and could have included names, birth dates, driver’s license numbers, Social Security numbers, financial account numbers, passport numbers, birth and death certificates, prescription medications, medical histories, treatment details, biometric identifiers, health insurance numbers, IRS PIN numbers, security questions and answers, digital signatures, usernames and passwords.

The investigators did not find any evidence to suggest PHI had been downloaded and neither have any reports been received to suggest misuse of patient information. Alive Hospice sent notification letters to all patients impacted by the data breach on July 13, 2018. The patients were also offered free credit monitoring and identity theft protection services for one year. Because of the sensitive information exposed, patients have been warned to monitor their accounts for any sign of fraud.

Alive Hospice claims to have already set up stringent security controls to protect its systems from unauthorized access and additional security measures are being implemented to defend against future attacks.

The HHS’ Office for Civil Rights has not published the incident on its breach portal yet and so it is not clear at this time how many patients were affected by the breach. Alive Hospice did not disclose this information in its substitute breach notice.