Three Healthcare Providers Report Phishing Attacks
Livonia, MI-based Trinity Health has confirmed that an unauthorized individual gained access to an employee email account and potentially viewed or obtained patient information. Suspicious account activity was detected in the employee’s email account on January 5, 2023. The investigation confirmed unauthorized access to the email account occurred between December 16, 2022, and December 18, 2022.
A review of the contents of the account was completed on February 14, 2023. The types of information in the account varied from patient to patient and may have included names, medical record numbers, patient ID numbers, encounter numbers, location(s) of service, provider names and specialties, procedure name(s), insurance name/type, billing balances, and dates of birth. A limited number of individuals had their address, phone number, email address, and prescription information exposed.
Trinity Health changed the account password to prevent further unauthorized access and has reviewed its policies and procedures. Due to the nature of the exposed information, Trinity Health believes the potential for misuse is low; however, affected individuals have been offered a complimentary 12-month membership to a credit monitoring and identity theft protection service.
Trinity Health has reported the breach to the HHS’ Office for Civil Rights as affecting 45,350 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Beaver Medical Group Patients Affected by Email-Related Breach
Beaver Medical Group and Epic Management in California, part of the Optum Group, have started notifying certain patients that an employee’s workstation has been compromised as a result of a response to a phishing email. The email account was accessed for a limited period of time, but during that window of opportunity, emails may have been viewed or copied. The forensic investigation concluded on February 3, 2023, that the exposed information included names, member ID numbers, health plan information, and premium payment amounts.
Beaver and Epic have confirmed that security controls have been enhanced on their servers to prevent similar breaches in the future and monitoring has been enhanced. Epic Management has reported the breach to the HHS’ Office for Civil Rights breach portal as affecting 1,190 individuals.
AllCare Plus Pharmacy Reports Summer 2022 Phishing Attack
AllCare Plus Pharmacy in Northborough, MA, has recently reported a phishing attack to the Maine Attorney General that has affected 5,971 patients. On June 21, 2022, AllCare Plus Pharmacy identified a phishing campaign targeting multiple employees. Prompt action was taken to remove the phishing emails from its email systems and prevent unauthorized account access; however, several employee accounts were accessed by unauthorized individuals.
While no evidence of misuse of patient data has been identified, it should be assumed that protected health information was accessed or obtained. The review of the affected accounts confirmed they contained names, addresses, birth dates, Social Security numbers, driver’s license and other ID numbers, financial information, and limited health and health insurance information related to treatment and prescriptions.
AllCare Plus Pharmacy said additional security measures, internal controls, and safeguards have been implemented, and affected individuals have been offered 24 months of credit monitoring services.
