3 Healthcare Providers Have Began Notifying Patients Regarding Recent Phishing Attacks

This is a summary of healthcare phishing attacks that were publicly announced in the last couple of days.

2,254 Patients Affected by Email Account Breach at Leonard J. Chabert Medical Center

Leonard J. Chabert Medical Center received notified that the protected health information (PHI) of some of its patients was compromised because of a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).

LSU HCSD reported a breach on November 20, 2020. On November 24, 2020, it found out that a number of patient information coming from Leonard J. Chabert Medical Center, one of its partner hospitals, had likewise been affected by the breach.

Leonard J. Chabert Medical Center received information about the breach on December 3, 2020, the evaluation of which showed that the PHI of 2,254 patients were exposed from September 15, 2020 up to September 18, 2020.

For the majority of patients, the exposed information only included names, telephone numbers, addresses, health record numbers, birth dates, account numbers, types of services gotten, dates of service, and medical insurance identification numbers. The limited health data for example diagnoses and/or bank account numbers of a small number of patients were likewise exposed.

LSU HCSD is going over its email security procedures, which will be improved to avoid the same breaches later on and more security awareness training will be given to staff members.

PHI of 1,800 Patients Possibly Compromised Due to Lynn Community Health Center Phishing Attack

Lynn Community Health Center (LCHC) based in Massachusetts discovered that an unauthorized individual accessed a staff member’s email account subsequent to responding to a phishing email. LCHC discovered the phishing attack on November 25, 2020 and promptly secured the email account. With the help of a digital forensics agency, LCHC established that up to 4 email accounts were compromised in the phishing attack.

An analysis of the possibly breached accounts revealed they included patient names along with one or more of these data elements: Mailing address, date of birth, phone number, insurance details, medical record number, diagnoses, and other clinical data. The Social Security number of a number of patients were additionally exposed.

The ongoing investigation has not found any proof that suggests patient data theft or misuse, however, as a preventive measure, people who had their Social Security number potentially compromised received offers of credit monitoring and identity theft protection services for free.

More safety measures are being put in place to avoid further email security breaches. Information protocols are being modified, and worker security awareness training was improved.

Auris Health Informs Patient Regarding March 2020 Email Account Breach

Auris Health located in Redwood City, CA started notifying a number of patients concerning an unauthorized person who possibly obtained access to some of their PHI because of an employee email account breach in March 2020.

Upon knowing about the breach, access to the account was blocked and an investigation was performed to find out the nature and magnitude of the breach. The inquiry into the attack is in progress, nevertheless, Auris Health has learned that the compromised email account held patient names combined with at least one of the following data elements: tax identification number, Social Security Number, passport number, health insurance number, health data, payment card details, and financial account number(s).

Auris Health is employing extra security measures to avert more breaches later on, such as improving its email authentication procedures. Affected persons got offers of complimentary membership to credit and identity theft monitoring services for two years.