Three Healthcare Companies Encounter Email Account Breaches

Here are some of the latest healthcare privacy breaches reported to the HHS’ Office for Civil Rights and state Attorneys General.

Rainbow Rehabilitation Centers Detects Email Account Breach

Rainbow Rehabilitation Centers based in Livonia, MI provide therapeutic rehabilitation services for people with injuries in the brain and spinal cord. The provider found out that an unauthorized person obtained access to the email account of an employee containing 1,749 patients’ protected health information (PHI) and the data of its employee group health plans.

Independent forensic specialists were involved to look into the breach and affirmed that just one email account was compromised. An analysis of the account showed it included PHI like names, driver’s license numbers, Social Security numbers, consultation scheduling details, and medical plan and benefits application data. It wasn’t possible to find out whether the attacker accessed any of that data, however, there was no report obtained that indicate the misuse of any patient data.

Rainbow Rehabilitation Centers had notified the affected people and provided a free one-year membership to credit monitoring and identity theft protection services.

Email Accounts Compromised at Summit Behavioral Healthcare

Summit Behavioral Healthcare based in Brentwood, TN learned about the compromise of two employee email accounts beginning in late May 2020. This healthcare provider of behavioral health services operates 18 addition treatment centers across the United States.

A third-party digital forensics company was called in to inspect the breach and confirmed on January 21, 2021 that the compromised accounts contained protected health information and unauthorized individuals could have accessed or obtained PHI.

The records contained in the accounts were different from one individual to another and may have contained names plus one or more of these types of data: diagnosis or symptom data, treatment details, prescription data, health insurance numbers, medical history, Social Security number, financial account details, Medicaid / Medicare identification numbers, and healthcare provider data.

Summit Behavioral Healthcare already notified the affected persons and gave a complimentary 12-month credit monitoring and identity theft protection services membership.

Email Account Breach at Jacobson Memorial Hospital and Care Center

Jacobson Memorial Hospital and Care Center based in Elgin, ND has found out that an unauthorized person viewed an email account with the PHI of 1,547 patients.

The hospital detected the breach on or around August 5, 2020 and a third-party cybersecurity agency was called in to investigate the breach and find out if any data were accessed. It seems that the attack was performed so as to send out spam emails from the account; nevertheless, it is likely that patient data was viewed.

The account included names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers, insurance policy numbers, credit card numbers, bank account numbers, and certain health details.

A new hospital-wide security system has currently been put in place, policies and procedures were updated, and further training was given to staff members and vendors on data protection. Jacobson Memorial Hospital and Care Center offered the affected individuals free credit monitoring and identity theft restoration services.