Three Data Breach Events Lead to the Exposure of PHI for 138,000 Individuals

In three different events, hackers have gained access to email accounts, exposing Protected Health Information (PHI) of 138,000 individuals. 

In the first data breach event, a Maine based pharmacy reported a data breach that was discovered in May 2021 when suspicious activity was detected in an employee email account.  After an investigation, it was determined that seven email accounts had been compromised between January 2021 and May 2021. The data breach exposed 75,771 individualsā€™ PHI, which consisted of names, addresses, and social security numbers. After validating the results by December 14, 2021, the Maine pharmacy began sending out notification letters to the affected individuals on February 3, 2022. The pharmacy stated that the company expanded its email security measures and is offering certain individuals complimentary credit monitoring and identity restoration services.

In the second event, a Florida spine and joint institute discovered that an employee email had been accessed by an unauthorized individual. The investigation discovered that in February 2021, the PHI of 61,595 patients had been compromised. The information that may have been viewed or acquired in the attack included names, dates of birth, diagnoses, clinical treatment information, physician and or hospital name, dates of service, and health insurance information.  Additionally, social security numbers, driverā€™s license numbers, financial account information, credit card numbers, and/or usernames and passwords were exposed for certain individuals. The investigation into the breach was completed on November 22, 2021. The individuals whose social security numbers may have been exposed by the data breach have been notified and have received a yearsā€™ worth of complimentary credit monitoring service. The Florida spine and joint institute reviewed its email security measures and implemented additional safeguards, including multifactor authentication. Further training on email security was provided to employees.

In a third event, a San Diego based social service organization was a victim of a phishing attack.  An employee received an email that appeared to be a voicemail message. It included a link to a website that required login credentials to be entered to listen to the message. The login credentials were captured and used to access the employeeā€™s email account. The phishing attack occurred on November 16, 2021, and affected 1,300 individuals. An investigation was started that day and discovered that the first and last names of clients were exposed, and in some cases the clients COVID-19 vaccination status was accessed. The company has increased their email security and reported the breach to the HHS Office for Civil Rights.

Issue:

All healthcare workers must understand HIPAA and how to secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public while ensuring that an individualā€™s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
  • Train all staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employeesā€™ education files.
  • Periodically audit to ensure that the facilityā€™s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.