Oaklawn Hospital located in Marshall, MI, has begun informing 26,861 patients regarding a potential compromise of their personal and medical data.
It is not clear when the hospital detected the breach, however, the forensic investigation showed that on July 28, 2020, unauthorized third parties accessed certain employees’ email accounts from April 14 to April 15, 2020. The hackers were able to access the accounts after the employees’ response to phishing emails and gave away their login credentials. The employees noticed the breach after finding suspicious emails in a number of employee email accounts.
A thorough manual document analysis confirmed that the compromised email accounts contained protected health information (PHI). The compromised accounts contained patient names as well as birth dates, medical data, and medical insurance details. A very limited number of patients also had their driver’s license numbers, Social Security numbers, financial account details, and online login data potentially exposed. The delayed issuance of notification letters was because of the time consuming process of manual document review.
Because of the phishing attack, Oaklawn Hospital reviewed its cybersecurity solutions and took steps to enhance its technical security measures, which include using a multi-factor authentication application. Employees were also given HIPAA training on security awareness.
All patients impacted by the data breach were instructed to keep track of their explanation of benefits statements and see if there are transactions associated with healthcare or services that they did not receive. The hospital also offered free credit monitoring services to the persons who had their Social Security numbers potentially compromised.
Although the unauthorized email account access was affirmed, there was no evidence found that indicates the access or theft of patient information by the attackers. There was also no report on any patient data misuse.
Mono County Reveals Breach of COVID-19 Statistics Database
Mono County based in California found out that an unauthorized person acquired access to its COVID-19 statistics online database from April 2 to July 24, 2020. The database contained the PHI of people who were screened for COVID-19 before July 24, 2020.
The database contained the birth date, gender, ethnicity, geographic area of residence of people in Mono County, and their COVID-19 test results. There were no names, addresses, or other identifying data contained in the database. Mono County secured the database on July 28, 2020 so that the database is not accessible anymore.
The breach report sent to the HHS’ Office for Civil Rights indicates that the database breach affected the PHI of 2,850 persons.