Malicious persons accessed the email accounts of four employees working in Primary Health Care Inc., which is a non-profit network of community health centers in Des Moines, Marshalltown and Ames, IA. The unauthorized persons may have viewed or stolen the protected health information (PHI) of Primary Health Care patients.
On March 16, 2018, Primary Health Care issued a press release and posted a substitute breach notice on its official website. The announcement explained that the breach happened on February 28, 2017 and was discovered the next day on March 1, 2017. Primary Health Care is working on the notification letters to be issued to the patients affected by the data breach. The breach notification report will be submitted to the Department of Health and Human Services’ Office for Civil Rights as well. It was not explained why it took Primary Health Care one year to report the breach incident.
Upon discovery of the breach, Primary Health Care took immediate action and terminated access to the employees’ email accounts. A third-party computer forensics expert investigated the incident and found that the attacker gained access to the four email accounts and the associated Google Drives. However, he was not able to determine if the attacker opened any email or viewed any PHI.
The email accounts were found to contain the patients’ names, Social Security numbers, driver’s license numbers, medical histories, diagnoses, treatment details, health insurance information, credit/debit card numbers, financial account numbers, facilities and providers visited, dates of services and Medicaid numbers (in some cases). Primary Health Care did not receive any report or evidence that suggests the misuse of information. Nevertheless, patients whose PHI was affected got offers of free identity theft protection services for 12 months via AllClear. Primary Health Care also has plans of adding security measures to protect the privacy of the patients’ information and prevent data breaches in the future.