Email Incidents Reported by CareOregon Advantage, Ultimate Care, and University Medical Center Southern Nevada

Three email incidents were recently reported by CareOregon Advantage, University Medical Center Southern Nevada, and Ultimate Care. A total of 38,485 individuals were affected.

PHI of CareOregon Advantage Members Exposed Due to Misdirected Email

CareOregon Advantage, the health insurance agency based in Portland, OR , has started sending notifications to 10,467 plan members regarding an impermissible disclosure of some of their protected health information (PHI). On January 27, 2022, an email having an attachment with plan member data was sent to a contracted consultant erroneously.

The consultant quickly informed CareOregon Advantage concerning the mistake and permanently removed the email message and attachment. The attached file included information such as member names, ID numbers, Medicaid/Medicare numbers, and birth dates. CareOregon Advantage is convinced the possibility of misuse of member information is negligible.

CareOregon Advantage stated its investigation affirmed that it has the proper policies and procedures in place to deal with these types of situations and those policies and protocols are evaluated yearly. The worker who sent the email was given extra training.

15,788 Individuals Affected by Phishing Attack on Ultimate Care

Ultimate Care, the home care agency located in Brooklyn, NY, has just announced that unauthorized persons
accessed some employee email accounts since employees responded to phishing emails. When the security breach was discovered, quick action was done to secure its email account and a forensic investigation was started to know the scope of the data breach.

The forensic investigation results showed that unauthorized individuals accessed the email accounts from April 7, 2021 to June 2, 2021. A manual analysis of all emails in the accounts established they comprised names, together with one or more of the following types of data: driver’s license numbers, passport numbers, Social Security numbers, dates of birth, financial account data, credit or debit card details, medical details, medical insurance policy data, and/or usernames and passwords.

Ultimate Care mentioned there were no reports received that indicate the improper use of any patient data; nevertheless, as a safety measure against identity theft and fraud, people whose Social Security numbers were exposed were provided complimentary one-year memberships with a credit monitoring provider. Notification letters were mailed to impacted persons on February 22, 2022.

The breach report was submitted to the HHS’ Office for Civil Rights indicating that 15,788 people were affected.

Business Associate Email Breach Impacted University Medical Center Southern Nevada Patients

University Medical Center Southern Nevada (UMC) has lately reported the potential compromise of the PHI of 12,230 patients was potentially compromised in a cyberattack at one of its business associates: The healthcare software vendor Advent Health Partners (AHA).

AHA found out about the email breach in early September 2021 and confirmed on December 2, 2021, that files made up of the PHI of its healthcare firm customers were accessed. The files included last and first names, Social Security numbers, drivers’ license information, birth dates, health insurance details, medical treatment data, and financial account details. AHA issued notification letters regarding the cyberattack on January 6, 2021. Advent Health Partners sent the breach report indicating that 1,383 persons were impacted, however a few of its clients, which include UMC, reported the breach on their own.

This is UMC’s third reported data breach in the last 18 months. UMC encountered a REvil ransomware attack in June 2021 that allowed the theft of the PHI of 1.3 million people, and last March 2021, UMC announced an unauthorized access/disclosure incident affecting 1,833 people.