The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Highmark Health Phishing Attack Affects 275,000 Patients

Posted By on Feb 6, 2023

Pittsburg, PA-based Highmark Health, the second largest integrated delivery and financing system in the U.S., has recently announced that an unauthorized individual has accessed the email account of one of its employees following a response to a phishing email. After the employee clicked the link in the email and disclosed their credentials, the account was accessed remotely by an unauthorized third party who potentially viewed and exfiltrated emails and attachments from the account.

The unauthorized account activity was detected by Highmark Health on December 15, 2022, with the initial compromise occurring on December 13, 2022. A review of the emails and attachments revealed they contained the protected health information of health plan members, such as group name, identification numbers, claim numbers, dates of service, procedures, prescription information, addresses, phone numbers, email addresses, and financial information. The Social Security numbers of a subset of individuals were also exposed.

When the breach was detected, the affected mailbox was immediately deactivated, network blocking was implemented, and passwords were reset. Email security controls have also been enhanced and further training has been provided to employees on how to identify phishing attempts and other cyber threats. While no evidence of misuse of the affected data has been identified, affected individuals are being offered complimentary credit monitoring and identity theft protection services, irrespective of whether their Social Security numbers were involved.

According to the data breach notice sent to the Maine Attorney General, up to 300,000 individuals have been affected, including 2,774 Maine residents. Notification letters are being mailed on February 13, 2023.  On February 10, 2023, the breach was reported to the HHS’ Office for Civil Rights as two separate incidents, affecting 239,039 and 36,600 individuals -275,639 in total.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Cardiovascular Associates Reports Cyberattack Involving Data Theft

On December 5, 2022, Cardiovascular Associates (CVA) in Birmingham, AL discovered suspicious activity within its computer systems. The systems were isolated while the potential intrusion was investigated, with the forensic analysis confirming hackers first gained access to its IT environment on November 28, 2022. Between that date and December 5, files containing patient data were exfiltrated from its systems.

The review of the affected files confirmed they contained names, dates of birth, addresses, Social Security numbers, health insurance information, medical and treatment information, billings and claims information, passport numbers, driver’s license numbers, credit/ debit card information, and financial account information and, for a limited number of individuals, usernames and passwords. CVA said its systems were secured as soon as the unauthorized activity was detected and its security and monitoring capabilities have been improved to prevent similar breaches in the future. Affected individuals have been offered complimentary credit monitoring and identity restoration services.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 441,640 individuals.

Patient Data Potentially Stolen in Cyberattack on Aspire Surgical

UT Specialty Dental Services, PLLC, which operates several oral and maxillofacial surgery centers in Utah under the name, Aspire Surgical, has recently confirmed it was the victim of a cyberattack in December 2022, which may have involved unauthorized access to and the theft of sensitive patient data.

The cyberattack was detected on December 7, 2022, and third-party cybersecurity experts were immediately engaged to contain, assess, and remediate the attack. The investigation confirmed the attackers had access to parts of its IT environment that contained patient data such as names, patient account numbers, dates of service, and amounts paid. Medical treatment records, Social Security numbers, and financial information were not exposed.

While no evidence has been found to indicate any misuse of patient data, affected individuals have been offered complimentary credit monitoring and identity theft protection services. Aspire Surgical has reviewed and enhanced its data security policies and procedures to protect against similar security breaches in the future.

The incident has been reported to the HHS’ Office for Civil Rights as affecting 5,327 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist