PHI of Almost 30,000 People Exposed at Oaklawn Hospital and Mono County Breaches

Oaklawn Hospital based in Marshall, MI, sent notifications to 26,861 patients about a potential breach of their personal and healthcare information.

It wasn’t clearly stated when the hospital found out about the breach, but on July 28, 2020, the forensic investigation confirmed that unauthorized third parties got access to a number of employees’ email accounts starting April 14 until April 15, 2020. The attackers accessed the accounts after getting the response of employees to the phishing emails and having their login information. The employees spotted the breach soon after receiving reports of suspicious emails in many employee email accounts.

An extensive manual document audit verified the fact that the breached email accounts held protected health information (PHI). The breached information included patient names, birth dates, health information, and medical insurance information. A selected number of patients likewise had their driver’s license numbers, financial account information, Social Security numbers, and online account data possibly compromised. The overdue sending of notification letters was as a result of the time-consuming procedure of manually reviewing documents.

After the phishing attack, Oaklawn Hospital assessed its cybersecurity procedures and implemented measures to strengthen its technical security, including the use of multi-factor authentication. Workers also received extra security awareness training.
All affected patients were advised to keep an eye on their explanation of benefits statements and check for transactions related to healthcare services that they didn’t get. The hospital additionally provided credit monitoring services for free to those whose Social Security numbers were possibly exposed.

Even though there is a confirmation of the unauthorized email account access, no evidence supports the probability of data access or theft by the attackers. The hospital did not receive any report of patient data misuse as well.

Breach of COVID-19 Statistics Database

Mono County in California discovered that its COVID-19 statistics online database was accessed without authorization from April 2 up to July 24, 2020. The database stored the PHI of men and women who got screenings for COVID-19 prior to July 24, 2020.

The database secured information such as the sex, birth date, ethnicity, geographic location of Mono County residents, and their COVID-19 testing results. There was no name, address, or other identifying information included in the database. Mono County made the database secure on July 28, 2020 thus the database cannot be accessed anymore.

Mono County submitted the breach report to the HHS’ Office for Civil Rights indicating that 2,850 persons were affected by the incident.