Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack

Health Quest, now part of Nuvance Health, has discovered the phishing attack it experienced in July 2018 was more extensive than previously thought.

Several employees were tricked into disclosing their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been compromised.

In May 2019, Quest Health learned that the protected health information of 28,910 patients was contained in emails and attachments in the affected accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims information, and some health data.

A secondary investigation of the breach revealed on October 25, 2019 that another employee’s email account was compromised which contained protected health information. According to the substitute breach notification on the Quest Health website, the compromised information varied from patient to patient, but may have included one or more of the following data elements in addition to names:

Dates of birth, Social Security numbers, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims information, financial account information with PIN/security code, and payment card information.

No evidence of unauthorized viewing of patient data was uncovered and no reports have been received to indicate any patient information was misused. Out of an abundance of caution additional letters were mailed to patients on January 10, 2020.

Quest Health is now using multi-factor authentication on its email accounts and has strengthened security processes and provided additional training to its HQ employees on phishing and other cybersecurity issues.

It is currently unclear how many additional patients have been affected. At the time of posting, the breach report on the HHS’ Office for Civil Rights breach portal still states 28,910 individuals were impacted.

The post Quest Health Systems Discovers Additional Patients Impacted by 2018 Phishing Attack appeared first on HIPAA Journal.

44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners

The Portland, ME-based healthcare provider InterMed is notifying 33,000 patients that some of their protected health information has potentially been compromised as a result of a phishing attack.

The attack was detected on September 6, 2019. An internal investigation confirmed that the account was compromised on September 4 and the attackers had access to the account until September 6, 2019.

A leading national computer forensic firm was engaged to investigate the breach and discovered a further three email accounts had also been compromised between September 7 and September 10, 2019.

A comprehensive review of the affected email accounts was conducted but it was not possible to determine what emails or attachments, if any, had been viewed by the attackers.

The types of information in the compromised accounts varied from patient to patient and may have included patients’ names, dates of birth, health insurance information, and some clinical information. A “very limited” number of patients also had their Social Security number exposed.

InterMed started mailing breach notification letters to affected patients on November 5, 2019. Complimentary credit monitoring and identity protection services have been offered to patients whose Social Security number was exposed.

Steps have now been taken to improve email security and training has been reinforced to ensure employees adhere to email security best practices.

Phishing Attack Impacts 11,308 Patients of Central Maine Orthopaedics

11,308 patients of Central Maine Orthopaedics, part of Spectrum Healthcare Partners, are being notified that some of their protected health information has potentially been viewed by an unauthorized individual who gained access to the email account of one of its employees.

Spectrum Healthcare Partners discovered the unauthorized access on November 14, 2019 and immediately secured the affected account. The investigation revealed the account had been breached on November 5, 2019. A review of the emails and attachments in the account revealed they contained patients’ names, dates of birth, addresses, health insurance information, clinical and treatment information, and amounts owed to Central Maine Orthopaedics.

While it was confirmed that the attacker remotely accessed the account, no evidence was uncovered to suggest patient information was obtained or misused.

Affected patients were notified out of an abundance of caution on January 13, 2020 and have been advised to monitor their explanation of benefits and account statements for any sign of fraudulent use of their information.

Spectrum Healthcare Partners has strengthened its technical controls and is providing more stringent security training to employees.

4,564-Record Breach Reported by Children’s Hope Alliance

The Barium Springs, NC-based child welfare agency, Children’s Hope Alliance, has announced that a laptop computer containing sensitive information has been stolen.

According to the substitute breach notice on the Children’s Hope Alliance website, the laptop was stolen on October 7, 2019. A digital forensic firm was engaged to determine whether the laptop contained any sensitive information. The investigation is ongoing, but the initial finding show documents on the device contained information such as names, addresses, Social Security numbers, tax identification numbers, dates of birth, usernames and passwords, and medication and dosage information.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 4,564 individuals have been impacted. The breach summary states that this was a hacking/IT incident involving email. It is unclear at this stage whether this is an error, a separate breach, or if the laptop was used to hack into the employee’s email account.

The post 44,000 Patients Impacted by Phishing Attacks on InterMed and Spectrum Healthcare Partners appeared first on HIPAA Journal.