Spokane Regional Health District (SRHD) in Washington has once again fallen victim to a phishing attack. For the second time this year, the health district has announced patient data has potentially been compromised after an employee responded to a phishing email.
On March 24, 2022, SRHD announced that its IT department discovered a compromised email account, with the investigation recently confirming that the employee responded to a phishing email on February 24, 2022, and disclosed credentials that allowed the account to be accessed. Last week, SRHD confirmed that the email account contained the protected health information of 1,260 individuals. That information may have been ‘previewed’ by an unauthorized individual, although no evidence was found to suggest information had been accessed or downloaded.
Information in the account included names, birth dates, service dates, source of referral, provider hospital name, diagnosing state, whether the patient had been located, date located, patient risk level, staging level, how medications were collected, test type, test result, treatment information, medication information, delivery dates and any treatments provided to the baby, diagnostic information, medical information, and client notes.
A spokesperson for SRHD said corrective actions have been taken to mitigate the current breach and prevent further phishing attacks, including reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.
“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” said SRHD Deputy Administrative Officer, Lola Phillips. “We have a strong commitment to safeguard personal information, and we are working diligently to reduce the likelihood of future events.”
On January 24, 2022, SRHD announced that an employee email account had been compromised on December 21, 2021. The email account contained the sensitive data of 1,058 individuals, including names, birth dates, case numbers, counselor names, test results and dates of urinalysis, medications, and date of last dose.
After that attack, SRHD said it will be reinforcing employee cybersecurity training, implementing multifactor authentication, and performing testing on its systems.
Catholic Health Notifies Patients About Data Theft Incident at Business Associate
Catholic Health has recently started notifying approximately 1,300 patients that some of their protected health information has been exposed in a cyberattack on its business associate, Ciox Health.
Buffalo, NY-based Ciox Health provides health information management services to healthcare providers and insurers. Between June 24, 2021, and July 2, 2021, emails and attachments in a Ciox Health employee’s email account were downloaded by an unauthorized individual.
The breach was detected last year and in September 2021, Ciox Health learned that the email account contained patient information related to billing inquiries and customer service requests. A review of the information in the account was completed in early November, and affected providers and insurers were notified between November 23 and December 30, 2021.
Catholic Health said the compromised information included patient names, provider names, dates of birth, dates of service, health insurance information, and/or medical record numbers. “While Ciox’s investigation did not find any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today, Ciox is notifying affected Catholic Health patients,” said Catholic Health, in a March 30, 2022 post on its website.
The post Spokane Regional Health District Announces Second Phishing Attack in 3 Months appeared first on HIPAA Journal.