PHI Exposed in Email Incidents at Discovery Practice Management and One Medical

Discovery Practice Management Informs People Regarding June 2020 Email Breach

Admin support services provider Discovery Practice Management to Authentic Recovery Center and Cliffside Malibu facilities located in California, has reported that unauthorized people acquired access to the email system it retains for those services.

Suspicious email activity was discovered in the email environment on July 31, 2020. An investigation into the breach showed there were unauthorized sign-ins to personnel email accounts at the two facilities from June 22, 2020 to June 26, 2020.

The accounts were promptly secured and a third-party cybersecurity agency was involved to inspect the incident however it cannot be confirmed if protected health information (PHI) in the accounts was accessed or exfiltrated.

PHI possibly exposed contained names, birth dates, addresses, medical record numbers, patient account numbers, medical insurance details, financial account/payment card data, driver’s license number, Social Security numbers, and clinical data, like diagnosis, treatment details, and medicine details.

The company stated in its breach notice to the California Attorney General that it collaborated with both practices to verify the contact data for the 13,611 persons whose details was probably compromised. That process was accomplished on June 2, 2021. Persons impacted by the breach have now been informed and have been provided a free one-year membership to credit monitoring and identity theft protection assistance.

Discovery Practice Management is convinced the attack was not done so as to steal patient data, instead, it is believed to have been meant to reroute invoice payments. Steps have already been taken to enhance email security and upgraded training has been given to the facilities’ employees to determine and prevent suspicious e-mails.

Email Addresses of Hundreds of One Medical Patients Got Compromised

An email error resulted in the compromise of the email addresses of numerous One Medical patients. The provider dispatched emails to patients requesting them to confirm their email addresses. The patients’ email addresses were not placed on the ‘BCC’ field of the email but on the ‘To’ field, therefore, it’s possible that all people who received the email could view all the email addresses.

Only the patients’ email addresses were compromised, however, the emails did show the owner of one email address as a patient from One Medical. A number of the persons who got the email tweeted a complaint. One person claimed that the email received had 981 visible email addresses.

One Medical released an announcement on Twitter in reply to the blunder. The company acknowledged the exposure of the recipients’ email addresses and apologized for the issue of concern. At the same time, the company assured that the incident is being investigated and said that there was no security breach of its systems. Proper measures had been implemented to avoid the same incident in the future.