Phishing Attacks in NC and TX Impacts 30,000 Patients’ PHI

Choice Health Management Services based in Claremont, NC, a rehabilitation services provider and operator of a few nursing facilities in North and South Carolina, has encountered an email security breach that affected its workers, and current and past patients.

Choice Health detected the security breach in late 2019 when dubious activity was noticed in the email accounts of a few of its workers. An internal investigation established on January 17, 2020 the unauthorized access of 17 employees’ email accounts. Because it wasn’t possible to know which email messages and/or email attachments the attackers had opened, a third-party company was hired to continue the investigation. Although the review was finished on March 27, 2020 stating that the compromised accounts held sensitive information, it was not clear which areas the affected persons went to for treatment. It was only on May 12, 2020 that those people were tied to a specific facility.

The compromised accounts included a broad range of sensitive information such as names, Social Security numbers, dates of birth, driver’s license numbers, passport numbers, credit card data, financial account details, employer identification number, email address with a password or linked security questions, username with a password or connected security questions, date of service, provider name, patient number, medical record number, medical data, diagnostic or treatment details, surgical data, prescription drugs, and/or health insurance details.

Choice Health sent notifications to the affected patients and took action to enhance security to avoid other data breaches. According to the HHS’ Office for Civil Rights breach portal, there were 11,650 people affected.

Phishing Attack on Houston Health Clinic Impacts 19,000 Patients

Legacy Community Health, a Houston, TX federally qualified health center, is notifying about 19,000 patients regarding the potential unauthorized access of some of their protected health information (PHI) by a person who obtained access to one employee’s email account.

On April 10, 2020, a worker replied to an email thinking it is a legit request and revealed credentials that permitted the attacker access to his/her email account. Legacy Community Health identified the breach on April 16, 2020 and immediately secured the email account.

Aided by a third-party computer forensics company, Legacy Community Health affirmed that the breach affected only one email account which was discovered to consist of patient names, dates of service, and health information associated to the care offered at its clinics.

The investigation into the breach is continuing and notifications will shortly be given to all people whose information was exposed. At this period, there is no evidence found that suggest the access or misuse of any patient information.

Legacy Community Health is working to enhance email security and has allowed multi-factor authentication on its email accounts. Additional training was likewise provided to employees to help them distinguish and stay away from phishing emails.