PHI of 138,000 People Exposed Because of 3 Email Security Incidents

Hackers have acquired access to email accounts that contain protected health information (PHI) at Volunteers of America Southwest California, Injured Workers Pharmacy, and iRise Florida Spine and Joint Institute.

Injured Workers Pharmacy

Injured Workers Pharmacy based in Andover, MA has recently reported a data breach to the Maine Attorney General. The incident was discovered on or about May 11, 2021, upon seeing suspicious activity in an employee’s email account. The pharmacy immediately secured the email account and engaged third-party computer forensics professionals to investigate the attack. The investigation confirmed the compromise of 7 email accounts from January 16, 2021 to May 12, 2021.

Third-party data review experts were engaged to look at the emails and file attachments in the exposed accounts, which affirmed they included the PHI of 75,771 people like names, addresses, and Social Security numbers. Following the review, Injured Workers Pharmacy confirmed the results, and that process was finished on or approximately December 14, 2021. The pharmacy began sending notification letters to affected individuals on February 3, 2022.

Injured Workers Pharmacy mentioned it has augmented its email security measures and is giving some impacted persons complimentary credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has found out a worker email account that contains the protected health information of 61,595 patients was accessed by an unauthorized individual. The forensic investigation revealed the hacker got access to the email account between February 24, 2021 and February 26, 2021.

A thorough assessment of email messages and attachments was performed, and the procedure was accomplished on November 22, 2021. iRise stated the following types of information were potentially viewed or obtained at the time of the attack: Names, dates of birth, diagnoses, clinical treatment data, physician and/or hospital name, dates of service, and health insurance details. The Social Security numbers, driver’s license numbers, financial account details, credit card numbers, and/or usernames and passwords of a few persons were likewise exposed.

Affected people were informed and a one-year membership to a credit monitoring service was offered for free to persons whose Social Security numbers were exposed. iRise has examined its email security procedures and has carried out extra technical safeguards, which include multifactor authentication. The workforce is also provided extra training on email security.

Volunteers of America Southwest California

The social service organization based in San Diego, CA Volunteers of America Southwest California, lately announced it encountered a phishing attack. A worker got an email that is like a voicemail message, that has a hyperlink to a web page that required the input of login information in order to listen to the message. The access credentials were captured and utilized to view the staff’s email account.

The attackers viewed the email account on or about November 16, 2021, and the attack was discovered and secured on November 16. An evaluation of the email account showed it comprised the first and last names of clients in most of the cases, with a number of the records at the same time including the COVID-19 vaccination status of individuals.

The breach appears to have been fully remediated and third-party specialists were employed to verify the containment steps. Email security was enhanced because of the breach.

The organization submitted the breach report to the HHS’ Office for Civil Rights indicating that 1,300 people were affected.