A phishing attack on PIH Health, which is a 2-hospital not-for-profit healthcare network, established in Whittier, CA, resulted in the potential breach of the personal and protected health information (PHI) of about 200,000 patients in June 2019.
PIH Health found out on June 18, 2019 that unauthorized individuals accessed the email accounts of some employees because of a targeted phishing attack. The hospital immediately secured the email accounts and launched an investigation to find out the nature and scope of the breach.
Cybersecurity experts helped PIH Health investigate the incident and confirmed on October 2, 2019 that unauthorized access of the email accounts occurred from June 11, 2019 to June 18, 2019.
The cybersecurity experts also checked the email accounts to ascertain if they have any patient data in them. The review was concluded on November 12, 2019. Afterward, PIH Health tried to get updated contact details for present and past patients impacted by the breach. The hospital mailed breach notifications to those people on January 10, 2020.
The Department of Health and Human Services Office for Civil Rights already received the phishing attack report and had posted the incident on its breach portal. The summary report indicated that the breach potentially impacted around 199,548 patients.
Patients were instructed to keep track of their account statements for any suspected fraudulent activity and report it immediately. Patients also received offers of free credit monitoring and identity theft protection services via Kroll for one year.
PIH Health mentioned in its substitute breach notification that the company considers data privacy and protection a top priority and it extends its deepest apologies for the inconvenience or worry the incident has caused to its patients.