Phishing Attack on Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID experienced a phishing attack that resulted in the potential exposure of patient information. The attack also impacted patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus discovered strange activity in the email account of one worker on January 6, 2021. The provider quickly secured the account and conducted an investigation to find out the source and nature of the phishing activity. Saint Alphonsus learned that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and data held therein for 2 days. The attacker used the email account to send phishing emails to other contact people in an attempt to steal usernames and passwords.

The employee whose credentials were compromised assisted with a number of business functions that required access to protected health information (PHI), including sending billing for the West Region of Trinity Health, and Fresno.

An analysis of all email messages and file attachments revealed the account comprised the PHI of selected patients. The PHI in the account varied from one patient to another and contained full names along with one or more of these data elements: telephone, date of birth, address, email, medical record number, treatment data, and/or billing details. The account additionally included some Social Security numbers and credit card numbers.

Although the provider confirmed the unauthorized account access, it was not possible to ascertain which emails, if any, the attacker accessed. While distributing notifications, no evidence was found that indicates the misuse of any patient information. Saint Alphonsus offered credit monitoring services to affected persons and gave workers further training about email and cybersecurity to avoid the same breaches in the future.

When notifying patients regarding the breach, an error with the mail merge happened. Some patients have received a letter informing them regarding an email security issue and regrettably, the letters generated had an incorrect status for a number of patients, addressing them as deceased or a minor because of the mail merge issue.

It isn’t presently known how many patients were impacted by the breach. Updates will be provided when there’s more information available.

Southeastern Minnesota Center for Independent Living Phishing Attack Impacts 4,122 Individuals Affected

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has found out an unauthorized person who obtained access to the email account of an employee containing the PHI of 4,122 people.

An investigation into the security incident showed the account was exposed on August 6, 2020 and the hacker got access to the account until September 1, 2020. The investigation affirmed on December 22, 2020 the compromise of PHI, including names, addresses, dates of birth, driver’s license numbers, Social Security numbers, and certain medical treatment details. SEMCIL started sending breach notification letters to affected persons on February 19, 2021.

The investigation did not get any proof that suggests the access or exfiltration of any protected health information. There is likewise no report received that indicates the improper use of any PHI. As a safety measure against identity theft and fraud, those who had their Social Security number or driver’s license number exposed received free offers of identity theft protection services.