Two Healthcare Entities Report Phishing Attacks

Two healthcare entities have each reported phishing attacks in their email systems. A California healthcare system discovered unauthorized individuals gained access to some employeesā€™ email accounts and may have accessed or exfiltrated emails containing patient data. In the second phishing account, a major health plan provider announced that protected health information (PHI) of over 2,000 plan members has been exposed from a phishing attack on one of its insurance brokers.

The California healthcare system email accounts were compromised as a result of employees responding to phishing emails and disclosing their email credentials. Since then, the email environment has been secured and additional measures have been implemented to improve security. The investigation into the breach revealed the first email account was compromised on December 2, 2020, and others were compromised up until April 8, 2021. 

So far, no evidence has been found to indicate any emails or email attachments were subjected to unauthorized access between December 2020 and April 2021, and no other reports have been received that suggest the PHI of patients has been misused; however, it is not possible to rule out unauthorized PHI access and data exfiltration.

The investigation into the breach is ongoing to identify exactly what happened and the information that has been affected. Notification letters will be sent to all affected individuals once the forensic investigation is completed. The full review of affected email accounts is expected to take until September 2021. Individual notifications will be issued no later than September 30, 2021. Affected individuals will be offered a complimentary membership to credit monitoring services for 12 months.

The healthcare system explained in its substitute breach notice that the following types of information were contained in the compromised email accounts: full name, address, date of birth, email, fax number, claims information (date and cost of healthcare services and claims identifiers), laboratory results, medical diagnosis and conditions, medical record number and other medical identifiers, prescription information, treatment information, medical information, Social Security number, government identification number, payment card number or financial account number and security code, student ID number, and username and password.

Community members have been warned to be vigilant and to monitor their financial accounts and explanation of benefits statements for signs of identity theft or other fraudulent activity.

The major health plan provider identified in the second phishing attack revealed that their insurance broker identified suspicious activity in its email system on June 21, 2021. Immediate steps were taken to block further access, and an investigation was launched to determine the nature and the extent of the breach. The insurance broker determined that two employeesā€™ email accounts were compromised after the employees responded to phishing emails, and that the email accounts were subject to unauthorized access between August 6, 2020, and August 24, 2020, and again on October 2, 2020. The security breach was limited to the Microsoft 365 cloud-based email system.

A review of the email accounts revealed they contained names, member identification numbers, Social Security numbers, credit/debit card information, dates of birth, addresses, plan information, and claim information. Notification letters were sent to affected individuals on July 20, 2021, and a complimentary 2-year membership to identity theft protection services has been offered to affected individuals. The insurance broker found no evidence suggesting emails in the account had been viewed or acquired.

Issue:

All healthcare workers must understand HIPAA and how they must secure protected health information (PHI). The Privacy Rule allows access to information needed to ensure high quality healthcare and to protect the public while ensuring an individualā€™s health information is properly protected. All staff members at all levels must demonstrate understanding of the Privacy Rule, HIPAA, and how to protect PHI. Additional information is available in the Med-Net Corporate Compliance and Ethics Manual, Chapter 5 Privacy Plan, PP 2.0 Privacy Policy and Procedure.

Discussion Points:

  • Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address how health information exchanges should be conducted between healthcare associates and timely response to requests from authorized individuals.
  • Train all staff on HIPAA, PHI, and Privacy, including responding timely to requests for records, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employeesā€™ education files.
  • Periodically audit to ensure that the facilityā€™s policies and procedures for HIPAA, PHI, privacy, and record release are being followed by all staff, and that each person demonstrates understanding and competency.