A phishing attack on Southwest Washington Regional Surgery Center located in Vancouver, WA, resulted in the exposure of the protected health information (PHI) of 2,393 patients. Only one email account was compromised in the breach and no evidence was uncovered to suggest the attacker accessed or downloaded any emails. A third-party cybersecurity company helped with the investigation, which was completed on September 25.
The investigators performed a manual review of all the emails contained in the compromised email account to identify patients affected by the breach and the types of patient information that had been exposed.
Southwest Washington Regional Surgery Center’s breach notice stated that the PHI elements potentially exposed as a result of the breach were limited to patients’ names, Social Security numbers, driver’s license numbers, medical data, and in some cases, credit card numbers. The cybersecurity firm confirmed that the email account was first accessed on May 27, 2018 and access remained possible until August 13, 2018.
Southwest Washington Regional Surgery Center sent notification letters to patients impacted by the breach on November 6, 2018 and has offered affected individuals free identity theft and credit monitoring services for one year. Additional information was also provided on the actions patients could take to minimize the risk of identity theft and fraud.
Southwest Washington Regional Surgery Center has now improved its email access procedures to protect against further phishing attacks, passwords have been reset and its password policy has been updated.