A phishing attack on Alomere Health in Alexandria, MN resulted in the potential access of the protected health information (PHI) of almost 50,000 patients by unauthorized individuals.
After discovering the phishing attack on November 6, 2019, Alomere Health started an internal investigation that confirmed the unauthorized access of the account from October 31 to November 1, 2019.
A computer forensics firm assisted with the investigation and found on November 10, 2019 the breach of a second email account on November 6.
After a comprehensive assessment of the compromised accounts, the investigators confirmed that certain emails and attachments contained protected PHI. The types of information possibly compromised in the breach differed from one patient to another, but the following data elements may have been included: names, dates of birth, addresses, medical record numbers, medical insurance details, treatment data, and/or diagnosis data. The accounts also contained some patients’ driver’s license numbers and Social Security numbers.
Alomere Health did not confirm if the hackers accessed or copied any emails or attachments that contain PHI, but it cannot be certain that there was no unauthorized data access or theft. On January 3, 2020, Alomere Health notified all 49,351 patients who had their information potentially compromised.
People whose driver’s license number or Social Security number were compromised got free credit monitoring and identity theft protection services for one year. To date, there is no report received regarding the misuse of patient data.
Alomere Health further enhanced its cyber defenses and provided more security awareness HIPAA training to its employees so that they can identify email-based threats.
Mailing Error Impacts Mercy Health Lorain Hospital Laboratory Patients
RCM Enterprise Services, Inc. provides patient billing services to Mercy Health Lorain Hospital Laboratory, Ohio. RCM notified some patients of Mercy Health Lorain Hospital Laboratory about the impermissible disclosure of their individually identifiable personal data.
There was an error introduced by mistake in the invoice mailing process so that the Social Security numbers can be seen through the windows of envelopes that RCM’s contracted mailing vendor used for a medical invoice mailing delivered on or around November 7, 2019.
The only visible information on the invoices should only include the name and address (street, city, state, and zip code). Because of the error, the patients’ name, street address and Social Security number (rather than the city and zip code) were visible.
RCM’s Director of Revenue Cycle Management, Barbara Shaub, said that the company takes data privacy and security seriously and has updated procedures to avoid similar incidents.
RCM has not received any report that indicates the misuse of patient data. As a safety measure, all affected people received free credit monitoring and identity theft protection services, though there is no clear information regarding the number of people affected.