Phishing Attacks and Unauthorized Email Account Access Reported by 6 HIPAA Regulated Entities

21,500-Record Data Breach Reported by Police Department of the City of New York

Unauthorized persons have gotten access to the Administrative Fund of the Detectives’ Endowment Association of the Police Department of the City of New York (NYCDEA) email system and possibly viewed or acquired the protected health information (PHI) of 21,544 persons.

Upon discovery of suspicious activity in its email system on December 16, 2021, NYCDEA changed passwords to stop continuing unauthorized access and engaged third-party cybersecurity specialists to look into the unauthorized activity. Based on the breach report submitted to the Maine Attorney General, an unauthorized third-party access to the email system and sensitive information was confirmed only on October 3, 2022. It is unknown why the confirmation of the breach took a very long time.

The evaluation of the breached email accounts showed they include data like names, addresses, dates of birth, driver’s license numbers, state ID card numbers, payment card details, financial account numbers, usernames and passwords, medical background, and medical insurance details. Notification letters were mailed to impacted persons on October 31, 2022. Credit monitoring, identity theft protection services and fraud consultation were provided to impacted persons.

Two Email Accounts Breach in Phishing Attack at Gateway Ambulatory Surgery Center

Gateway Ambulatory Surgery Center located in Concord, NC, has begun informing 18,479 patients that unauthorized individuals potentially accessed some of their PHI that was saved in email accounts. The medical center discovered the email account breach first on April 6, 2022. According to the third-party forensic investigation, unauthorized individuals accessed two employee email accounts from February 14, 2022 to May 10, 2022, because of employees clicking on phishing emails.

It was confirmed by Gateway on September 1, 2022 that the email accounts included patient data, such as names, health benefit enrollment data, medical background, medical insurance data, dates of service, and patient account numbers. The driver’s license numbers and/or Social Security numbers of some patients were likewise exposed. Gateway sent notification letters on October 31, 2022, and offered free credit monitoring, identity restoration, and fraud consultation services to qualified patients.

Gateway stated it has enforced a new endpoint detection and response program and has given extra security awareness training to its employees.

Two Email Accounts Breached at Assurance Health System

Assurance Health System based in Indianapolis, IN offers senior inpatient psychiatric care services in central Indiana and Ohio. It recently reported that unauthorized persons accessed the email accounts of two employees. It is uncertain when the provider detected the unauthorized email account activity; however, the forensic investigation affirmed that an unauthorized third party accessed one email account from April 8, 2022 to April 21, 2022, and had another unauthorized access from June 10, 2021 to March 8, 2022. The health system finished the analysis of the email accounts on September 1, 2022, and began sending notifications to the 3,565 impacted people on October 28, 2022.

The breached email accounts held the PHI of patients of Assurance Health, Brightwell Behavioral Health facilities, and Anew Health, which include names, contact details, driver’s license numbers, Social Security numbers, birth dates, patient account numbers, medical record numbers, dates of treatment, treatment facilities, medical background, condition and diagnosis data, provider names, prescription data, and medical insurance details.

Persons who had their driver’s license numbers or Social Security numbers exposed were offered free credit monitoring and identity protection services. Assurance Health System stated that it implemented extra safety measures and technical security procedures to further secure and keep track of its email system.

2,915 Patients of Native American Rehabilitation Association of the Northwest were Affected by Email Breach

Native American Rehabilitation Association of the Northwest (NARA NW) based in Portland, OR has submitted a breach report involving the email accounts of seven staff members. NARA NW detected suspicious activity inside its email system on September 1, 2022 and took quick action to stop continuing unauthorized access. The analysis of the impacted email accounts showed unauthorized access from August 31 to September 1 by a third party located outside America.

The email accounts included patient data such as names, birth dates, and non-sensitive treatment data. Four of the 2,915 impacted persons had their Social Security numbers compromised. Those persons were given free credit monitoring services for one year.

NARA NW stated it was ready for such incidents, and that it had the technology in place to immediately determine the particular emails and data that were accessed; nevertheless, additional safety measures have already been carried out, such as limiting the usage of cloud-based email, blocking access coming from beyond the United States, and using multi-factor authentication for email accounts.

Work Health Solutions Email Account Breach

Occupational healthcare provider Work Health Solutions in San Jose, CA recently reported that an unauthorized third party accessed an employee’s email account from February 16, 2022 to March 24, 2022. The provider immediately secured the email account and started a forensic investigation. The account evaluation that was conducted confirmed the potential breach of PHI on October 11, 2022. Full names, driver’s license numbers, Social Security numbers, medical insurance data, and/or medical data may have been compromised.

Work Health Solutions sent notification letters to impacted persons on November 9, 2022 and offered free credit monitoring services to those who had their Social Security numbers affected. The incident is not yet posted on the HHS’ Office for Civil Rights breach website, therefore it is presently uncertain how many persons were impacted.

Three Rivers Provider Network Reports Unauthorized Email Account Activity

Three Rivers Provider Network based in Las Vegas, NV recently announced an employee email account breach that affected sensitive patient data such as names, birth dates, addresses, passport numbers, Social Security numbers, state-issued ID numbers, driver’s license numbers, and health data.

The company detected the unauthorized activity on June 3, 2022, and confirmed on August 17, 2022 the exposure of PHI. No report of patient data misuse was received during the issuance of notifications. The affected individuals received notification letters on November 5, 2022 and offers of free credit monitoring services for 24 months.