Spokane Regional Health District and Catholic Health Announce Data Breaches

Spokane Regional Health District (SRHD) located in Washington encountered once again a phishing attack. This is the second time this year, the health district has reported the potential compromise of patient data after a staff responded to a phishing email.

SRHD announced on March 24, 2022 that its IT unit identified a compromised email account. The investigation just confirmed that a staff replied to a phishing email on February 24, 2022, and subsequently shared credentials that enabled the account to be accessed. Last week, SRHD stated that the email account stored the protected health information (PHI) of 1,260 people. An unauthorized individual may have ‘previewed’ that data, although there was no evidence obtained that suggests the access or download of information.

Content in the account were names, birth dates, service dates, source of referral, healthcare provider name, diagnosing status, whether the patient was located, date placed, patient risk level, staging level, how medicines were obtained, test type, test result, treatment details, medication data, delivery dates and any remedies offered to the baby, diagnostic data, medical details, and client notes.

An SRHD spokesperson stated corrective measures were taken to mitigate the current incident and avoid further phishing attacks, such as reinforcing worker cybersecurity training, employing multifactor authentication, and carrying out testing on its systems.

Similar to the other parts of the state of Washington, SRHD has encountered a record-level surge in phishing emails as well as malware installation attempts. In this incident, staff members fell victim to a phishing scam that exposed confidential data to data thieves. SRHD Deputy Administrative Officer Lola Phillips expressed their strong dedication to protecting personal data and minimizing the possibility of future attacks.

On January 24, 2022, SRHD reported the compromise of an employee email account on December 21, 2021. The email account comprised the sensitive information of 1,058 persons, which include names, dates of birth, counselor names, case numbers, test findings and dates of urinalysis, medicines, and date of the last dose.

Subsequent to that attack, SRHD mentioned it will be enhancing worker cybersecurity training, using multifactor authentication, and doing tests on its systems.

Catholic Health Informs Patients Regarding Data Theft at a Business Associate

Catholic Health has lately begun informing roughly 1,300 patients concerning the exposure of some of their PHI in a cyberattack encountered by Ciox Health, its business associate.

Ciox Health based in Buffalo, NY offers health data management services to hospitals and insurance companies. From June 24, 2021 to July 2, 2021, emails and file attachments in the email account of a Ciox Health worker had been downloaded by an unauthorized person.

The breach was noticed last year and Ciox Health learned in September 2021 that the email account comprised patient data associated with billing queries and customer support requests. An assessment of the data within the account was done at the beginning of November and impacted healthcare providers and insurance companies were informed from November 23 to December 30, 2021.

Catholic Health stated the breached data included names of patients, healthcare provider names, birth dates, dates of service, medical insurance details, and/or medical record numbers. Although Ciox’s investigation didn’t uncover any cases of fraud or identity theft because of this incident, as a safety precaution, Ciox is informing impacted Catholic Health patients.