Alive Hospice in Tennessee found that two of its employees’ email accounts were unsecured because of phishing attacks. While examining Alive Hospice’ email system on May 15, 2018, recurring unauthorized access to the email accounts was noticed. Quickly after discovering the breach, third-party account access was blocked by resetting the account password. Investigators of a third-party forensics company were hired to figure out the nature and extent of the email breach.
The outcome of the investigation confirmed that the first email breach happened on or around December 20, 2017. The second email breach happened some time in April 5, 2018. The two email accounts contained the patients’ protected health information (PHI), which the hacker potentially accessed or viewed.
The information that was affected by the breach varied from patient to patient. The PHI involved names, birth dates, birth and death certificates, Social Security numbers, driver’s license numbers, passport numbers, financial account numbers, prescription medications, biometric identifiers, health history, treatment details, medical insurance numbers, IRS PIN numbers, security questions and answers, usernames, passwords and digital signatures.
The investigators didn’t uncover any information that denote the access or copying of the data by the hacker or reports that suggest the inappropriate use of patient health data. Alive Hospice delivered notification letters to all individuals affected by the information breach on July 13, 2018. The patients were given 12 months of free credit checking and identity theft protection services. Due to the sensitive data compromised, patients were warned to keep track of their accounts and watch out for suspicious transactions.
Alive Hospice stated they have already installed strict security settings over their system. Sad to say, they weren’t sufficient to defend against cyber criminals. Further security steps are being put in place to protect against future cyber attacks. The HHS’ Office for Civil Rights has not posted the incident yet on their breach web portal, thus it isn’t clear at this point the actual number of patients impacted by the incident. Alive Hospice did not detail this information on their substitute breach notice also.