Email Account Breaches Affect PHI of 40,000 People

Three healthcare providers have lately announced security breaches affecting the email accounts of workers. The incidents potentially led to the compromise and possible theft of the protected health information (PHI) of over 40,000 people.

Saltzer Health

Saltzer Health discovered a breach of its email system on June 1, 2021. The healthcare provider quickly took steps to avoid even more unauthorized access, with the succeeding investigation validating the unauthorized access by a person to the email account from May 25, 2021 to June 1, 2021. It cannot be determined if the attacker accessed or exfiltrated any patient data, however, third-party specialists reviewed the account and confirmed that it held the PHI of 15,650 individuals.

The review was concluded on September 21, 2021, and affirmed the inclusion of the following types of information in the email account: Names, contact details, driver’s license/state ID numbers, patient ID numbers, medical record numbers, medical histories, diagnoses, treatment data, doctor information, prescription data, health insurance data, and the financial account details and Social Security numbers of some patients. All impacted persons have already been informed by mail.

Boulder Neurosurgical and Spine Associates

Boulder Neurosurgical and Spine Associates located in Colorado identified a breach of the email account of an employee on September 21, 2021. The email account was quickly secured, and third-party cybersecurity professionals were engaged to help with the investigation.

An extensive evaluation of emails and attachments in the breached account established the exposure of PHI, though it can’t be determined whether unauthorized persons viewed or obtained any PHI. The compromised PHI consisted of names, dates of birth, and medical information. No addresses or Social Security numbers were exposed. The breach report was submitted to the HHS’ Office for Civil Rights as affecting 21,450 people.

Region IV Area Agency on Aging

On or around September 30, 2021, Region IV Area Agency on Aging in Michigan (AAA4) identified the unauthorized access by an individual to the email account of one staff as a result of responding to a phishing email. The goal of the cyberattack was to try to divert the worker’s paychecks.

Although this seems like the only goal of the attacker, the email account included the PHI of 3,171 persons and involved names, addresses, birth dates, Social Security numbers, insurance details, phone numbers, and health conditions.

AAA4 stated it did not find any evidence that shows any PHI was acquired or misused, however, all affected persons were informed to exercise caution and keep track of their accounts and explanation of benefits statements for suspicious activity. AAA4 mentioned it has implemented action to stop further phishing attacks, such as providing more training to the employees.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at