110,000+ Patients’ PHI Exposed Due to Phishing Attacks on Overlake Medical Center & Clinics and VibrantCare Rehabilitation

A phishing attack on Overlake Medical Center & Clinics based in Bellevue, WA in December 2019 resulted in the potential compromise of some personal and protected health information (PHI) of 109,000 patients.

Overlake Medical Center & Clinics detected the phishing attack on December 9, 2019 and prompted a password reset to block unauthorized access. Overlake confirmed the compromise of one email account from December 6, 2019 up to December 9 which was the date the account became secure. There was a compromise of other email accounts on December 9, but the attacker had possible access for only a few hours.

An analysis of the compromised accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance ID numbers, health insurance provider names, and diagnosis and treatment data associated with the care received at Overlake. There was no financial data or Social Security numbers compromised. The investigation discovered no evidence of data theft and no reports were received that suggest the misuse of patient data.

Overlake Medical Center & Clinics already took steps to stop identical breaches in the future which include improving email security to prohibit phishing emails, employing multi-factor authentication for email accounts, improving security awareness HIPAA training for workers, and having new email retention policies.

Overlake started delivering notification letters via mail to affected patients on February 4, 2019. The provider reported the data breach to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack

VibrantCare Rehabilitation, a physical therapy provider in California, found out that an employee’s email account was compromised after responding to a phishing email.

There was unusual activity detected in the email account, which prompted the hiring of third-party computer specialists to investigate a potential breach. The investigation revealed that an unauthorized person accessed the email account from August 20, 2019 to August 27, 2019. A meticulous analysis of the email account showed that it contained the protected health information of 1,655 patients.

Different patients had varying types of data exposed. In addition to first and last names, the following data elements may have been exposed: financial account information, credit or debit card data, demographic information, Social Security numbers, student identification numbers, driver’s license numbers, military identification numbers, government or state identification numbers, passport numbers, alien registration numbers, medical and treatment data, health insurance information, patient numbers, Medicare or Medicaid numbers, medical record numbers, and prescription data.

There is no evidence of data access or theft found and there are no reports received that indicate the misuse of patient information; nevertheless, as a precaution, affected patients were advised to keep track of their accounts, credit reports and explanations of benefits for suspicious activity.

VibrantCare Rehabilitation is currently looking at and improving its active policies to avoid other phishing attacks later on.

About Christine Garcia 1312 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA