The insurance brokerage company Relational Insurance Inc., doing business as Relation Insurance Services of Georgia (RISG), had encountered an email security breach last August 2019. It was discovered that an unauthorized person haa acquired access to an employee’s email account and potentially read or copied emails that contain the protected health information (PHI) of its clients.
RISG discovered the breach on August 15, 2019 after noticing suspicious activity in the employee’s email account. An independent computer forensics company helped investigate the breach and determine whether an unauthorized person accessed the account from August 14 to August 15.
On August 16, 2019, RISG learned that there was PHI contained in the account; however, the account review, which included determination of the people affected and the information potentially compromised, was just finished on December 13, 2019.
According to the investigation, the account contained a broad selection of information, which varied from one person to another. The PHI that was potentially breached included: name, address, phone number, email address, birth date, driver’s license number, passport number, Social Security number, identification number issued by the state, copies of marriage or birth certificates, financial company name, account and routing number, credit/debit card number, PIN, expiration date, prescription details, treatment data, provider name, patient ID, medical record number, medical insurance data, treatment cost, mental or physical condition, medical history, diagnosis code, type of procedure, procedure code, treatment site, medical device number, admission and discharge date, and date of death.
RISG has taken steps to enhance email security and stop the same breaches later on. The breach report sent to the HHS’ Office for Civil Rights indicates that the breach potentially affected the PHI of about 4,335 people.
Rainbow Hospice Care, Inc. Discovers Email Security Breach
Rainbow Hospice Care, Inc. based in Jefferson, WI discovered the unauthorized access of an employee’s email account and the potential viewing or downloading of the PHI of 2,029 present and past patients.
Third-party forensic detectives investigated the breach. Although they affirmed the access of the account by an unauthorized person, they could not ascertain if the hacker accessed or exfiltrated any patient information. An analysis of the breached account showed it was comprised of patient names, birth dates, Social Security numbers, treatment data, and medical record numbers.
Patients received notifications about the breach and offers of free credit monitoring services via Experian. Rainbow Hospice Care has not received any report of misuse of patient data. The provider’s substitute breach notice stated that it is unlikely that patient information was misused.