Birmingham, AL-based Henderson & Walton Women’s Center (HWWC) has recently notified 34,306 patients that some of their protected health information may have been compromised as a result of a hacker gaining access to the email account of one of its employees. HWWC said the forensic investigation of the data breach confirmed the attacker did not gain access to the email server and the breach was confined to the email account of one employee.
HWWC did not disclose when the email account was compromised but said there was a delay in issuing notification letters due to the lengthy process of reviewing all emails in the account to determine the types of information and specific individuals that had been affected. That process concluded on June 24, 2022.
HWWC said it had implemented encryption for all external emails, but the forensic investigation determined that stored emails may have been accessed. Those emails contained patient information such as names, dates of birth, Social Security numbers, medical information, health insurance information, driver’s license numbers, and state ID numbers. The information exposed varied from patient to patient.
Notification letters were sent to all affected individuals in August. As a precaution against identity theft and fraud, complimentary memberships have been offered to a credit monitoring service for 12 months. Steps have also been taken to improve the security of its email system, including implementing a new procedure for automatically deleting emails containing PHI after 3 days, and a system is being implemented that will prevent the sharing of any personal information via email.
Genesis Health Care Reports Cyberattack and Data Breach
The Columbia, SC-based nonprofit Federally Qualified Health Center, Genesis Health Care, has recently notified the Montana Attorney General about a cyberattack that was detected on April 11, 2022.
Suspicious activity was detected in certain IT systems, prompting a comprehensive investigation. Third-party digital forensics specialists were engaged to determine the nature and scope of the incident and help restore the functionality of its systems. The investigation confirmed on June 9, 2022, that files may have been accessed or exfiltrated from its systems between January 19, 2022, and April 11, 2022. A programmatic and manual review of the affected files confirmed on July 13, 2022, that they contained patient information including, but not limited to, names and Social Security numbers. Genesis Health Care said it is reviewing its policies and procedures and will evaluate additional measures and safeguards to prevent similar breaches in the future.
The breach has yet to appear on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.
The post Data Breaches Reported by Henderson & Walton Women’s Center & Genesis Health Care appeared first on HIPAA Journal.