Three healthcare providers have reported data breaches that affected the email accounts of employees. The occurrences potentially resulted in the exposure and likely theft of the protected health information (PHI) of around 40,000 people.
Region IV Area Agency on Aging
On or around September 30, 2021, Region IV Area Agency on Aging in Michigan (AAA4) learned about the unauthorized access by a person to the email account of one worker after responding to a phishing email. The objective of the cyberattack was to attempt to reroute the employee’s paychecks.
Though this looks like the main purpose of the attacker, the email account comprised the PHI of 3,171 persons and consisted of names, addresses, dates of birth, Social Security numbers, insurance details, telephone numbers, and medical ailments.
AAA4 stated it did not come across any proof that indicates any PHI was acquired or misused, nevertheless all impacted people were instructed to exercise care and keep an eye on their explanation of benefits and accounts statements for dubious activity. AAA4 mentioned it has taken action to avoid more phishing attacks, which include giving further training to the staff.
Saltzer Health discovered a breach of its email account on June 1, 2021. The provider immediately took steps to prevent continuing unauthorized access, with the following investigation confirming the unauthorized access by an individual to the account from May 25, 2021 up to June 1, 2021. It can’t be confirmed if the attacker viewed or copied any patient information, nonetheless third-party experts analyzed the account and affirmed that it stored the PHI of 15,650 people.
The audit was done on September 21, 2021, and affirmed the inclusion of these kinds of data in the email account: Names, contact information, state ID/driver’s license numbers, patient ID numbers, medical record numbers, health histories, diagnoses, treatment records, physician details, medication data, medical insurance data, and the financial account information and Social Security numbers of a number of patients. All affected persons had been advised through the mail.
Boulder Neurosurgical and Spine Associates
Boulder Neurosurgical and Spine Associates based in Colorado identified a breach of the email account of a worker on September 21, 2021. The email account was promptly protected, and third-party cybersecurity specialists had been involved to support the investigation.
A thorough analysis of emails and file attachments in the compromised account established the compromise of PHI, however, it can’t be known whether unauthorized persons viewed or obtained any PHI. The exposed PHI contained names, birth dates, and health reports. No Social Security numbers or addresses were compromised. The breach report was sent to the HHS’ Office for Civil Rights as impacting 21,450 people.