Cano Health, a population health management company and healthcare provider based in Florida, discovered that an unauthorized person accessed the email accounts of three employees by setting up a mail forwarder the email accounts and then sent emails to external addresses.
Caro Health detected the breach on April 13, 2020, nonetheless the investigation results revealed that the accounts had been compromised two years ago, on or around May 18, 2018. That means all emails that were sent and received by the accounts between May 18, 2018 and April 13, 2020 are considered to have been received and were potentially viewed.
An analysis of the emails proved that they included personal and protected health information (PHI) like names, contact data, birth dates, healthcare data, insurance information, government identification numbers, social security numbers, and/or financial account numbers.
Cano Health is sending notifications to affected persons and has told them to habitually review their accounts and benefits statements for signs of bogus activity. Cano Health will provide affected patients with credit monitoring services for free.
Cano Health is taking action to enhance email security. The Department of Health and Human Services’ Office for Civil Rights has not posted the breach information on its website yet, and so it is unclear at this time how many patients were affected.
Phishing Attack on City of Philadelphia Impacts 33,376 Patients
The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) experienced a cyberattack resulting in the compromise of the PHI of 33,376 people.
On March 31, 2020, DBHIDS detected suspicious activity in an employee’s email acount, however, the breach investigation verified that two accounts were breached on April 2, 2020. The phishing attack investigation is still ongoing and forensics specialists are presently going over the email accounts, although there is no evidence yet suggesting the attackers accessed or exfiltrated patient data.
The breach affects patients with intellectual handicaps who had in the past obtained services from the Division of Intellectual disAbility Services (IDS). The types of information breached differed from patient to patient and may have included data elements such as names, addresses, dates of birth, Social Security numbers, health insurance data, dates of service, account and/or medical record numbers, diagnoses, names of provider, and a brief explanation of the services an individual had applied for or were getting from IDS. The scans of birth certificates and Social Security cards of some patients were also compromised.
DBHIDS will send via mail the breach notification letters to affected individuals in the upcoming weeks and will give complimentary credit monitoring services.
To prevent similar breaches in the future, several steps were taken. Additional training will be provided to staff to help them to recognize phishing emails. Efforts to monitor network activity were heightened.