Phishing Attacks on Healthcare Resource Group and Confido Compromised the PHI of Patients

Confido, a pharmacy benefits consulting firm started sending notification letters to 3,600 of its clients’ employees, members, and their dependents regarding the potential access of some of their personal information by an unauthorized individual who got access to the email account of an employee.

Confido detected the email account breach on December 12, 2020 and launched an investigation to find out the enormity and scope of the breach. A third-party security firm assisting Confido established on January 17, 2020 that an unauthorized individual accessed the email account for two weeks from November 29, 2019 to December 12, 2019. The investigators could not determine if the hacker downloaded information from the email account, but the probability cannot be ruled out.

An extensive review of the email account revealed it contained information such as names, birth dates, health insurance details, Social Security numbers, prescription data, treatment data, and clinical details for instance diagnoses and healthcare provider names.

People affected by the breach received breach notification letters on February 10, 2020. No cost credit monitoring services were made available to people who had their Social Security numbers exposed.

Because of the breach, Confido provided further training on security awareness to its workers and implemented more procedures to reinforce email security.

Phishing Attack on Healthcare Resource Group Impacts Barlow Respiratory Hospital Patients

Healthcare Resource Group is the billing services provider of Barlow Respiratory Hospital in Los Angeles, CA. An unauthorized person accessed the email account of an employee of the Healthcare Resource Group. The investigation into the breach revealed that the hacker had access to the email account between November 4, 2019 and November 30, 2019.

Based on the email account analysis, the emails and attachments included a limited amount of protected health information (PHI) of current and past patients of Barlow Respiratory Hospital.

A third-party company reviewed the account to ascertain the types of information compromised. On February 27, 2020, the completed review revealed that patient names were exposed in addition to one or more of the following data elements: Social Security number, date of birth, driver’s license number, medical record number, patient account number, health insurance data, treatment details, and medical billing or claims information.

Healthcare Resource Group mailed notifications to affected patients of Barlow Respiratory Hospital on April 7, 2020. The Group also offered one year’s membership to credit monitoring and identity theft restoration services to affected patients.