A round up of healthcare phishing attacks that have been publicly disclosed in the past few days.
2,254 Patients Affected by Leonard J. Chabert Medical Center Email Account Breach
Leonard J. Chabert Medical Center has been notified that the protected health information of some of its patients has been compromised in a phishing attack on LSU Health New Orleans Health Care Services Division (LSU HCSD).
LSU HCSD announced the breach publicly on November 20, 2020 but discovered on November 24, 2020 that some patient data from Leonard J. Chabert Medical Center, its partner hospital, had also potentially been compromised.
Leonard J. Chabert Medical Center was provided with information related to the breach on December 3, 2020, the analysis of which revealed the protected health information of 2,254 patients had been exposed between September 15, 2020 to September 18, 2020.
For most patients, the exposed data was limited to names, phone numbers, addresses, medical record numbers, dates of birth, account numbers, dates of service, types of services received, and health insurance identification numbers. A small subset of patients also had their bank account number and/or limited health information such as diagnoses exposed.
LSU HCSD is reviewing its email security measures, which will be enhanced to prevent similar breaches in the future and additional security awareness training is being provided to employees.
PHI of 1,800 Patients Potentially Compromised in Lynn Community Health Center Phishing Attack
Lynn Community Health Center (LCHC) in Massachusetts discovered an employee’s email account was accessed by an unauthorized individual following a response to a phishing email. The phishing attack was discovered on November 25, 2020 and the email account was immediately secured. Assisted by a digital forensics company, LCHC determined that a maximum of 4 email accounts may have been compromised in the attack.
A review of the potentially breached accounts revealed they contained patient names in combination with one or more of the following data elements: Date of birth, mailing address, phone number, insurance information, medical record number, diagnoses, and other clinical information. A subset of patients also had their Social Security number exposed.
The investigation, which is ongoing, has not uncovered any evidence to suggest patient data was stolen or misused but as a precautionary measure, individuals whose Social Security number was potentially compromised have been offered complimentary credit monitoring and identity theft protection services.
Additional safeguards and security measures are being implemented to prevent further email security breaches, information protocols are being revised, and employee security awareness training has been reinforced.
1,440 Individuals Affected by Montgomery Hospice Phishing Attack
Montgomery Hospice, Inc. in Rockville, MD has learned that an unauthorized individual gained access to the email account of an employee on August 20, 2020. The breach was detected on November 16, 2020 and the email account was immediately secured.
A third-party cybersecurity firm was engaged to assist with the investigation, but it was not possible to determine which, if any, of the emails in the account were viewed or copied. A review of the email account confirmed the protected health information of 1,440 patients had been exposed, including names, medical record numbers, dates of birth, Social Security numbers, health insurance information, and limited medical information.
Affected individuals started to be notified about the breach on January 15, 2021. Only a limited number of patients had their Social Security numbers exposed and those individuals have been offered complimentary credit monitoring and identity protection services.
The hospice has since taken steps to improve email security and enhance its security infrastructure. Further training has also been provided to the workforce on how to identify and avoid phishing emails.
Auris Health Notifies Patient About March 2020 Email Account Breach
Redwood City, CA-based Auris Health has started notifying certain patients that some of their protected health information has potentially been accessed by an unauthorized individual who gained access to the email account of an employee in March 2020.
Upon discovery of the breach, access to the account was terminated and an investigation was conducted to determine the nature and scope of the breach. The investigation into the attack is ongoing, but Auris Health has determined that the compromised email account included patient names in combination with one or more of the following data elements: Social Security Number, tax identification number, passport number, health insurance number, health information, payment card information, and financial account number(s).
Auris Health is implementing additional security measures to prevent further breaches in the future, including enhancing its email authentication measures. Affected individuals have been offered a 2-year complimentary membership to credit and identity theft monitoring services.
The post 5 Healthcare Providers Have Started Notifying Patients About Recent Phishing Attacks appeared first on HIPAA Journal.