Phishing Attacks at Academic HealthPlans and Wayne County Hospital

Academic HealthPlans, Inc. (AHP) learned that an unauthorized person has obtained access to the email accounts of two workers after they responded to phishing emails.

AHP was informed of a potential breach upon detecting suspicious activity in its Microsoft Office 365 email account. The impacted accounts were made secure, and an investigation was started to find out the scope of the data breach. On June 4, 2021, AHP confirmed that the email accounts were exposed due to phishing attacks from August 6, 2020 to August 24, 2020, and on October 2, 2020. The breach only affected the two accounts and didn’t affect any other systems.

A thorough and time-intensive programmatic and manual evaluation was done to determine the persons and data impacted. That review affirmed that the email accounts included data associated to the student health plans administered by AHP.

The compromised information consist of student names, birth dates, Social Security numbers, medical insurance member numbers, claims data, and diagnoses and treatment data. There is no proof received that indicates the actual viewing of any email messages or attachments in the accounts.

Impacted self-insured universities and health plans were informed from June 21, 2021 to July 7, 2021. AHP began giving notification letters to impacted persons on June 29, 2021. AHP has provided eligible persons complimentary credit monitoring and identity theft protection services.

Comprehensive training was provided to workers to assist them in recognizing phishing emails and other threats. Current security procedures were also improved.

AHP already reported the breach to the HHS’ Office for Civil Rights as impacting 2,330 people.

2,016 Patients Impacted by Phishing Attack on Wayne County Hospital in Iowa

Wayne County Hospital in Corydon, IA is notifying 2,016 patients regarding the possible theft of their protected health information (PHI). On March 22, 2021, the hospital learned about a breach of its email system. Email accounts were promptly secured to avoid more unauthorized access. A third-party cybersecurity firm helped to investigate the breach and find out the magnitude of the attack.

The investigation showed that unauthorized persons had acquired access to email accounts because the employees responded to phishing emails. The breached email accounts included the following data: names, addresses, driver’s license numbers, Social Security numbers, financial account data, treatment or procedure details, names of medical provider or facility, diagnoses, prescription drugs, medical record numbers, insurance details, and service dates. To date, there were no reports of patient data misuse received.

Wayne County Hospital stated it will take the necessary steps to avoid the same breaches down the road.