Family Physicians Group in Orlando has informed 8,400 patients that a phishing attack has allowed hackers to access the protected health information (PHI) of around 8,400 patients.
Family Physicians Group is a large healthcare provider that offers healthcare services for Medicare and Medicaid beneficiaries residing in Central Florida and operates 22 clinics in the region.
The investigation of the phishing attack revealed that access to an employee’s email account was obtained by the hacker on August 7, 2018. It is very likely that the unauthorized individual accessed the account until August 21, 2018, when Family Physicians Group discovered the breach and changed the login details. The hacker had acquired the login details as a result of the employee responding to a phishing email message.
When the email messages contained in the compromised account were examined, the investigators found that the PHI of patients was included in some messages. The messages did not contain any financial data or Social Security numbers, only names, birth dates, names of physicians, and health insurance plan information was potentially viewed.
While the theft of patient data was possible, no reports of misuse of patient information have been received by Family Physicians Group. As a security measure, employees’ email passwords have been reset and additional protection measures have been put in place to strengthen its defenses against phishing attacks.
Family Physicians Group sent breach notifications to the affected patients on December 28, 2018. The breached entity did not give any reason for the delay in issuing notifications to patients. HIPAA requires patients to be notified about a breach within 60 days of discovery.