PHI Exposed Because of Cyberattacks on HME Specialists and Sapphire Community Health

HME Specialists LLC, dba Home Medical Equipment Holdco, encountered an email security breach that resulted in the likely exposure of 153,013 individuals’ protected health information (PHI).

HME Specialists identified suspicious activity in its email system and immediately secured all breached email accounts and engaged an expert cybersecurity agency to do a forensic analysis to know the extent and nature of the security breach. The cybersecurity agency revealed on March 11, 2021 that a number of breached email accounts held PHI and that unauthorized people had email account access between June 24 and July 14, 2020.

The accounts contained information including names, birth dates, medical diagnosis and/or other clinical records, along with a number of driver’s license numbers, credit card numbers, account information, usernames, passwords, and Social Security numbers. There isn’t any particular evidence identified that indicates the attacker obtained or misused any information within the breached accounts.

HME Specialists sent by mail notifications to the impacted individuals who had an existing address in the storage system and advised them to keep monitoring their financial accounts and explanation of benefits and beware of fake transactions. All individuals whose Social Security numbers were compromised received free credit monitoring services.

Additional technical safety actions were set up for employee email accounts like multi-factor authentication. The employees also get more training on increasing awareness of the risks of malicious emails.

Ransomware Attack on Sapphire Community Health

Sapphire Community Health established in Hamilton, MT was attacked by ransomware resulting in the probable exposure of 4,000 patients’ PHI. On February 18, 2021, the provider found out about the ransomware attack because the employees couldn’t access files. To manage the problem, the healthcare provider deactivated data systems and took the appropriate scanning and recovery measures.

The breach didn’t affect the medical record system, nonetheless several encrypted files containing patient data such as names, birth dates, and addresses. A few people also had their financial account data and/or Social Security numbers for a few people were exposed.

The investigators of the breach didn’t come across any proof that indicates the exfiltration of any patient information prior to the ransomware deployment. The healthcare provider sent breach notifications to all affected people and implemented more security measures to stop other attacks.