The HIPAA Guide - Celebrating Over 15 Years Online

Phishing Attack on Health First Compromised 42,000 Customers’ PHI

November 14, 2018HIPAA Breaches, Violations, and Fines0

Health First Inc., a health system with four hospitals based in Florida, experienced a hacking/IT incident earlier this year and reported the breach to the Department of Health and Human Servicesโ€™ Office for Civil Rights on October 5. Further information has now been released on the nature of the breach.

As per the OCR breach summary, 42,000 individuals were affected by the breach which has now been confirmed as a phishing attack.ย Health First explained that phishing emails were sent to its employees, the responses to which resulted in the accidental disclosure of email credentials. Some of the emails in the compromised accounts contained patients’ protected health information (PHI). The attack did not affect the health plan’s electronic medical record system.

The attackers first accessed a company email account in February 2018, and the account was used to send further phishing emails to staff members. Further accounts were breached between February and May.

Health First claimed the attackers were able to access only โ€œa small numberโ€ of email accounts, which contained a limited amount of PHI. Customers’ names, birth dates and addresses were exposed along with some Social Security numbers. Medical data and financial information were not compromised.

Forensic computer experts were called in to investigate the phishing attack. Based on their evaluation, Health First reports that the attackers appeared not to be interested in accessing emails or getting hold of protected health information. The attackers simply wanted to compromise more email accounts and carry out more phishing scams. The attackers were discovered to have only opened a few emails.

When Health First discovered the breach, the passwords of all compromised employee email accounts were changed to stop the attackers from accessing the accounts. New security controls were also put in place to prevent further breaches.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Health First has notified all the patients affected by the breach and offered them 12 months of complimentary AllClear ID identity theft monitoring and identity repair services.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2025 The HIPAA Guide. All rights reserved.