Scenic Bluffs Community Health Centers discovered on March 1, 2018 an email account breach, which resulted to the potential compromise of the protected health information (PHI) of about 2,889 patients. The unauthorized person gained access to an employee’s email account on February 28, 2018. The attacker was able to set up a mail forwarder on the account and forwarded 44 messages to an email address he controlled.
The investigation show that all the forwarded emails did not contain any protected health information and the mail forwarder was immediately deleted upon discovery and the email account was closed. All PHI associated with the account was secured. Although it seemed that the attacker did not obtain any PHI, it is still possible that the attacker viewed the PHI detailed in the emails during the time he had access to the email account.
There’s no clear report regarding how the attacker gained access to the email account. Usually, access to an email account is gained after an employee responds to a phishing email inadvertently disclosing his account login credentials. Another possibility is through the use of a brute force attack, which exploits weak passwords.
Scenic Bluffs Community Health Centers hired a third party cybersecurity firm to assess its network systems. The recommendations on necesary security solutions that the firm will come up with will be implemented to further protect the Community Health Centers’ patient privacy and stop future security breaches.
Scenic Bluffs Community Health Centers mailed breach notification letters on April 23, 2018 to all patients whose PHI was potentially exposed.