Healthcare Organizations Reported A Number of Email Security Breaches

HIPAA-covered entities and their business associates recently reported 5 more healthcare data breaches associated with 500 or more records.

Email Account Breach at Shields Health Solutions

Shields Health Solutions based in Stoughton, MA provides specialty pharmacy services to covered entities and hospitals. An unauthorized person accessed an employee’s email account and possibly viewed/copied the protected health information (PHI) it contained.

Shields Health Solutions detected suspicious activity in the employee’s email account on October 24, 2019. A cybersecurity company investigated the incident and confirmed that an unauthorized person accessed the account from October 22 to October 24, 2019. The breach was restricted to one email account.

The email account had messages and file attachments that contained patient names, birth dates, medical record numbers, names of provider, clinical data, prescription details, insurance provider names, and limited claims data. There is no evidence that suggests the access or copying of patient data.

Shields Health Solutions improved its email security by using multi-factor authentication on all the email accounts of employees. and sent notification letters on December 16, 2019 to the affected persons. The HHS’ Office for Civil Rights (OCR) breach portal hasn’t published the breach yet so the exact number of people affected is not yet known.

Email Breach at Lafayette Regional Rehabilitation Hospital

Lafayette Regional Rehabilitation Hospital based in Lafayette, IN, has discovered in July 2019 that an unauthorized person accessed an employee’s email account and possibly viewed patients’ PHI.

Upon discovery of the breach on November 25, 2019, the incident was promptly investigated to know if unauthorized persons accessed any patient data. There is no evidence found that suggests the viewing or copying of patient data, however, the possibility cannot be eliminated. The compromised email account contained names, birth dates, and clinical and treatment data associated with medical services provided at the hospital. The Social Security number of some patients were also exposed.

The hospital sent notification letters to impacted patients on January 24, 2019. Those who had their Social Security numbers exposed received free credit monitoring services. Lafayette Regional Rehabilitation Hospital also improved email security and reinforced the training of employees on security awareness.

The breach report sent to the OCR stated that the breach affected around 1,360 patients.

Phishing Attack on MHMR of Tarrant County

A phishing attack on My Health My Resources (MHMR) of Tarrant County in Fort Worth, TX affected the email accounts of some employees. MHMR discovered the phishing attack on December 3, 2019.

According to the investigation, an unauthorized person accessed the accounts in the period covering October 12 to October 14, 2019. The information contained in the email accounts included names, Driver’s license numbers, Social Security numbers, and some data on the services acquired at MHMR.

It cannot be determined if patient data was viewed. There is also no information on the misuse of patient information. As a precaution, all 6,524 people whose data was contained in the compromised email accounts were notified by postal mail. Those who had their driver’s license number or Social Security number exposed were offered free credit monitoring and identity theft protection services.

Employees also received extra email security training. MHMR also enhanced its security controls and systems.

Phishing Attack at Reva

Reva, a provider of medical transportation service reported that an unauthorized person potentially accessed the PHI of around 1,000 patients because of a phishing attack.

When Reva detected suspicious activity in an employee’s email account on September 12, 2019, the provider secured the account and launched an investigation. It was discovered that other email accounts were compromised. Unauthorized access of the accounts could have happened from July 23, 2019 to September 13, 2019.

The information contained in the compromised accounts included patients’ names, dates of service, travel insurance data, limited clinical data, driver’s license numbers, passport numbers, and some Social Security numbers.

Reva offered free credit monitoring and identity theft protection services to patients who had their driver’s license numbers or Social Security numbers exposed. The affected people received notifications by mail on January 22, 2019.

Reva enhanced email security by implementing multi-factor authentication and giving employees further security awareness training.

Lawrenceville Internal Medicine Associates Email Error

Lawrenceville Internal Medicine Associates (LIMA) located in Lawrence Township, NJ, is notifying 8,031 people regarding an email error that resulted in the exposure of patients’ email addresses. The mailing error also affected some Endocrinology Associates of Princeton, LLC patients.

LIMA sent an email announcement to patients on October 29, 2019. After two days, LIMA was informed that other patients’ email addresses could have been seen in the email’s BCC field. The error did not result in the exposure of any other data.

In response to the mailing error, the IT department received additional training and LIMA further strengthened its email security policies and procedures and modified its email system for sending email messages to patients.