The Florida-based population health management company and healthcare provider Cano Health has discovered the email accounts of three employees have been accessed by an unauthorized individual who set up a mail forwarder on the email accounts that sent emails to external addresses.
The breach was detected on April 13, 2020, but the investigation revealed the accounts were compromised two years previously, on or around May 18, 2018. All emails sent to and from the accounts between May 18, 2018 and April 13, 2020 are believed to have been obtained and have potentially been accessed.
A review of the emails confirmed they contained personal and protected health information such as names, contact information, dates of birth, healthcare information, insurance information, social security numbers, government identification numbers and/or financial account numbers.
Cano Health is in the process of notifying affected individuals and has advised them to regularly review their accounts and benefits statements for signs of fraudulent activity. Cano Health will be providing affected patients with complimentary credit monitoring services.
Cano Health is taking steps to improve email security. “We are committed to continuously updating our information security to guard against new and emerging threats,” said Cano Health Chief Executive Officer, Dr. Marlow Hernandez-Cano.
The breach has yet to appear on the Department of Health and Human Services’ Office for Civil Rights website, so it is currently unclear how many patients have been affected.
City of Philadelphia Phishing Attack Impacts 33,376 Patients
The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) has announced it has experienced a cyberattack that has resulted in the exposure of the protected health information of 33,376 individuals.
On March 31, 2020, suspicious activity was detected in the email account of an employee, although the breach investigation confirmed on April 2, 2020 that two email accounts had been compromised. The investigation into the phishing attack is ongoing and forensics experts are currently reviewing the email accounts, but no evidence has been found indicating patient data was accessed or exfiltrated by the attackers.
The breach affects patients with intellectual disabilities who had previously received services from the Division of Intellectual disAbility Services (IDS). The types of information compromised varied from patient to patient and may have included the following data elements: Names, dates of birth, addresses, Social Security numbers, health insurance information, account and/or medical record numbers, diagnoses, dates of service, provider names, and brief descriptions of the services the individual had applied for or were receiving from IDS. A limited number of scans of birth certificates and Social Security cards were also included in the compromised accounts.
Breach notification letters will be sent to affected individuals by mail in the coming weeks and complimentary credit monitoring services will be provided.
Several steps have been taken to prevent similar breaches from occurring in the future. Staff will be provided with further education to help them recognize phishing emails and monitoring of network activity has been increased.
Email Security Breach Experienced by MU Health Care
Columbia, MO-based MU Health Care has started notifying patients about an email security breach that was detected on September 21, 2019.
The attacker gained access to the email accounts of certain University of Missouri students affiliated with MU Health Care. The affected students had created email accounts with a third party that suffered a data breach in which email credentials were stolen. Those credentials were then used to access the students’ university email accounts between September 21 and September 26, 2019.
The breach only affected the students whose accounts were accessed. Their email accounts contained information such as names, dates of birth, Social Security numbers, and limited treatment and clinical information.
The breach highlights how important it is to use a unique password for all accounts.
The post Cano Health Discovers 2-Year Email Account Breach appeared first on HIPAA Journal.