Email Security Breaches at Roper St. Francis Healthcare and Einstein Health Network
Roper St. Francis Healthcare has informed 189,761 patients regarding an unauthorized individual who accessed some of their protected health information (PHI) saved in employee email accounts. The provider detected the email security breach in late October 2020. The subsequent investigation confirmed the compromise of three email accounts from October 14 to October 29, 2020.
An evaluation of the email accounts was done to find out if there was potential access of information. It was not possible to tell if the unauthorized person viewed or exfiltrated patient data, but the attacker possibly had access to names, dates of birth, patient account numbers, medical record numbers, and limited treatment and clinical details, like dates and locations of service, providers’ names, and billing data. The email accounts additionally contained the health insurance details and Social Security numbers of some patients.
Roper St. Francis Healthcare offered complimentary credit monitoring and identity theft protection services to those whose Social Security number was likely compromised. Steps were done to enhance email security and staff were given additional training on email security.
Einstein Healthcare Network Gives Further Information Regarding the August 2020 Email Security Incident
Einstein Healthcare Network in Pennsylvania is sending notifications to patients concerning a phishing attack that was found last summer of 2020. The healthcare provider operates medical centers in Elkins Park, Philadelphia, and East Norriton. Unusual email account activity was detected on August 10, 2020. Upon investigation of the incident, it was found out that an unauthorized person accessed several employee email accounts between August 5, 2020 and August 17, 2020.
The network conducted an analysis of the compromised email accounts to know whether they stored any patient information. The analysis revealed that the emails and attachments had the following types of patient data: Names, medical record numbers, patient account numbers, birth dates, diagnoses, medications, types of treatment, healthcare provider names, and locations of treatment. The types of data in the email accounts differed from one patient to another. The Social Security numbers and medical insurance data of some patients were also included.
It wasn’t possible to know whether the unauthorized individual had viewed or exfiltrated patient information while having access to the email accounts. Einstein Healthcare Network mailed a batch of breach notification letters to those likely affected by the incident commencing on October 9, 2020. The network reported the breach to the HHS’ Office for Civil Rights on the same day. The OCR breach portal posted the breach as impacting 1,821 patients.
As per Einstein Healthcare Network’s substitute breach notice, the investigation concluded on November 16, 2020. Additional letters had been mailed from January 21, 2021 to February 8, 2021.