Police Department of the City of New York Reports 21,500-Record Data Breach
Unauthorized individuals have gained access to the email system of the Administrative Fund of the Detectives’ Endowment Association of the Police Department of the City of New York (NYCDEA) and potentially viewed or obtained the protected health information of 21,544 individuals.
Suspicious activity was detected within its email environment on December 16, 2021, passwords were changed to prevent further unauthorized access, and third-party cybersecurity experts were engaged to investigate the unauthorized activity. According to the breach report filed with the Maine Attorney General, it took until October 3, 2022, to confirm that an unauthorized third party had accessed the email system, which included sensitive information of its members. It is unclear why it took so long for the breach to be confirmed.
The review of the compromised email accounts confirmed they contain information such as names, addresses, dates of birth, driver’s license numbers, state identification card numbers, financial account numbers, usernames and passwords, payment card information, medical histories, and health insurance information. Notification letters were sent to affected individuals on October 31, 2022. Credit monitoring, fraud consultation, and identity theft protection services have been offered to affected individuals.
Two Email Accounts Compromise in Gateway Ambulatory Surgery Center Phishing Attack
Gateway Ambulatory Surgery Center in Concord, NC, has started notifying 18,479 patients that some of their protected health information was stored in email accounts that have been accessed by unauthorized individuals. An email account breach was first detected by Gateway on April 6, 2022. The third-party forensic investigation confirmed that two employee email accounts had been accessed by unauthorized individuals between February 14, 2022, and May 10, 2022, as a result of employees responding to phishing emails.
On September 1, 2022, Gateway confirmed that the email accounts contained patient information, including names, health benefit enrollment information, medical histories, health insurance information, patient account numbers, and dates of service. A limited number of patients also had their Social Security numbers and/or driver’s license numbers exposed. Notification letters were sent on October 31, 2022, and qualified patients have been offered credit monitoring, fraud consultation, and identity restoration services at no cost.
Gateway said it has implemented a new endpoint detection and response solution and has provided additional security awareness training to its workforce.
Assurance Health System Reports Breach of Two Email Accounts
Assurance Health System, an Indianapolis, IN-based provider of senior inpatient psychiatric care in central Indiana and Ohio, has recently announced that the email accounts of two employees have been accessed by unauthorized individuals. It is unclear when the unauthorized email account activity was detected but the forensic investigation confirmed that one email account was accessed by an unauthorized third party between April 8, 2022, and April 21, 2022, and another was accessed by an unauthorized individual between June 10, 2021, and March 8, 2022. The review of the email accounts was completed on September 1, 2022, and notification letters started to be sent to the 3,565 affected individuals on October 28, 2022.
The compromised email accounts contained the protected health information of patients of Assurance Health, Anew Health, and Brightwell Behavioral Health facilities, including names, contact information, Social Security numbers, driver’s license numbers, dates of birth, medical record numbers, patient account numbers, dates of treatment, facilities of treatment, medical histories, condition and diagnosis information, provider names, prescription information, and health insurance information.
Individuals whose Social Security numbers or driver’s license numbers were exposed have been offered complimentary credit monitoring and identity protection services. Assurance Health System said additional safeguards and technical security measures have been implemented to further protect and monitor its email system.
Native American Rehabilitation Association of the Northwest Email Breach Affects 2,915 Patients
Portland, OR-based Native American Rehabilitation Association of the Northwest (NARA NW) has reported a breach of the email accounts of seven employees. Suspicious activity was detected within its email system on September 1, 2022, and immediate action was taken to prevent further unauthorized access. The review of the affected email accounts confirmed they had been accessed by unauthorized individuals between August 31 and September 1 by a third party outside the United States.
The email accounts contained patient information that was mostly limited to names, dates of birth, and non-sensitive treatment information. Four of the 2,915 affected individuals had their Social Security numbers exposed. Those individuals have been offered complimentary credit monitoring services for 12 months.
NARA NW said it was prepared for such attacks, and that its technology allowed it to quickly pinpoint the exact emails and information that was accessed; however, further safeguards have now been implemented, including restricting the use of web-based email, preventing access from outside of the United States, and multi-factor authentication has now been implemented for email accounts.
Email Account Breach Reported by Work Health Solutions
Work Health Solutions, an occupational healthcare provider in San Jose, CA, has recently confirmed that an employee’s email account was accessed by an unauthorized third party between February 16, 2022, and March 24, 2022. The email account was immediately secured, and a forensic investigation and account review was conducted, which revealed on October 11, 2022, that protected health information had potentially been compromised, including full names, Social Security numbers, driver’s license numbers, health insurance information, and/or medical information.
Notification letters were sent to affected individuals on November 9, 2022. Individuals whose Social Security numbers were impacted have been offered complimentary credit monitoring services. The incident has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
Unauthorized Email Account Activity Detected by Three Rivers Provider Network
The Las Vegas, NV-based Three Rivers Provider Network, has recently reported a breach of an employee email account that contained sensitive patient information such as names, dates of birth, addresses, Social Security numbers, passport numbers, driver’s license numbers, state-issued ID numbers, and health information.
The unauthorized activity was detected on June 3, 2022, and it was confirmed on August 17, 2022, that protected health information had been exposed. No reports of misuse of patient information had been received at the time of issuing notifications. Notification letters were sent to affected individuals on November 5, 2022, and 24 months of complimentary credit monitoring services have been offered.
The post 6 HIPAA Regulated Entities Report Phishing Attacks and Unauthorized Email Account Access appeared first on HIPAA Journal.