Three healthcare organizations recently had to notify patients that their protected health information (PHI) may have been exposed due to email security incidents and phishing attacks.
In January 2022, a West Virginia medical center was a victim of a phishing attack that impacted over 54,000 individuals. An unauthorized individual gained access to some of the center’s employee email accounts using a phishing scam. This resulted in patient names, medical record numbers, test results, and other treatment information being compromised. The medical center stated that they took immediate action as soon as the attack was known, and have enhanced their technical security measures in an effort to prevent similar events in the future. They stated that they already routinely train their employees on data privacy and cybersecurity issues, and they will be providing additional trainings related to the incident. The medical center encouraged potential victims to remain vigilant against identity theft and fraud.
In October 2021, an IT incident at a Minnesota mental health center potentially exposed the information of over 28,000 individuals. Upon discovery of the incident, the center secured its email accounts and hired a team of third-party forensic investigators. The investigation revealed that the IT incident had occurred over a five week period, and personal information such as addresses, clinical information, treatment locations, doctors’ names, patient account numbers, and treatment information were exposed by the breach. Some Social Security numbers, financial account information, and driver’s license numbers were also impacted. The mental health center stated that they took immediate steps to secure their systems, and to prevent further unauthorized access. They also implemented safeguards and security measures to enhance the privacy and security of information in their systems.
An Illinois-based clinic experienced an email security incident that potentially exposed patient information. Between July 14 and August 19, 2021, an unauthorized individual maintained access to one email account to intercept a business transaction between the clinic and a third-party vendor. The clinic determined that the breached information may have included names, Social Security numbers, medical information, health insurance information, and addresses. The clinic and forensic investigators could not determine the extent of the access. The clinic sent notices to all individuals who may have been impacted and have implemented additional safeguards to protect patient data.
Issue:
The healthcare sector must continue to be proactive in preventing cyberattacks. Nursing facility leaders and the privacy officer should collaborate with the IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff that have access to the computer network should be trained on current best practices in preventing data breaches and what they must do to assist in the prevention of these exposures.
Discussion Points:
- Review facility policies and procedures on cybersecurity. Ensure that policies are kept current based on best practices in preventing data breaches.
- Train all appropriate staff on best practices to avoid data breaches and their individual responsibility to prevent, identify, and report concerns. Document that the trainings occurred, and file in each employee’s education file. Provide additional training as new information becomes available.
- Periodically audit to ensure that staff are knowledgeable and utilizing best practices in preventing data breaches.