Phishing Attacks Reported by LifeSprk, University of Utah Health and Oregon DHS

The senior care provider LifeSprk based in Minnesota is sending notifications to 9,000 of its clients regarding the potential compromise of some of their protected health information (PHI) because of a phishing attack in November 2019.

Lifesprk discovered on January 17, 2020 that an unauthorized person had accessed the email account of an employee. The email account was secured promptly and investigation of the breach by a third-party cybersecurity company was launched. The cybersecurity company confirmed the compromise of some employee email accounts from November 5 up to November 7, 2019.

For most of the impacted persons, the compromised information in the accounts included names, medical record numbers, medical insurance details, and certain health data. The financial data and/or Social Security number of some patients were also exposed.

The breach investigation is still ongoing. Thus far, there is no evidence found that indicate the theft or misuse of data or PHI.

The sending of breach notification letters to affected patients began on March 17, 2020. It was delayed because of the unparalleled actions that need to be taken to cope with the Covid-19 pandemic. Lifesprk offered free credit monitoring and identity theft protection services to the people whose Social Security number was compromised. Lifesprk is currently improving email security and is going to reinforce the awareness of employees regarding phishing emails.

Patients’ PHI Potentially Compromised at University of Utah Health

The University of Utah Health made an announcement that unauthorized persons accessed the email accounts of some of its employees from January 7 to February 21, 2020 and possibly accessed patients’ PHI.

The University of Utah Health found out on February 3, 2020 that there was malware installed on the workstation of an employee and that potentially allowed unauthorized persons to access the PHI of patients.

The PHI contained in the email accounts and on the compromised computer included names, dates of birth, medical record numbers, and certain clinical data associated with the healthcare services given by the University of Utah Health.

The University of Utah Health already notified the affected patients, reviewed the security procedures and made necessary updates, and will further provide security training to the employees.

The number of patients affected by the breach is uncertain at this time.

Spear Phishing Attack at the Oregon Department of Human Services

The Oregon Department of Human Services found out that an unauthorized person accessed the email account of an employee because of responding to a spear-phishing email.

There are information technology security processes in place, which identify email account compromises swiftly, therefore the possibility for data theft was limited. The Oregon DHS discovered the email security breach on March 6, 2020 and secured the account quickly. A third-party firm will give assistance in reviewing the incident to figure out what data was exposed and who were the people affected. The affected persons will be notified sooner or later.

At this time, there is no evidence that the hacker accessed, copied or misused any PHI; nevertheless, the Oregon DHS will offer identity theft protection services to all impacted clients.