Eastern Los Angeles Regional Center learned that an unauthorized person had accessed the email account of one of its employees. On July 15, 2021, the center noticed suspicious activity in the email account and performed a password reset to stop further unauthorized access by the attacker. An investigation was started to find out the nature and extent of the breach.
It was affirmed that the attacker accessed the account for a limited time period on July 15, 2021 and that there were 12,921 individuals’ protected health information (PHI) contained in the email account.
The PHI included patients’ first and last names, client identifier numbers issued by ELARC, Social Security numbers, Tax ID numbers, medical backgrounds, treatment or diagnosis data, and medical insurance data.
Eastern Los Angeles Regional Center mentioned it did not find any evidence that suggest the exfiltration of any information in the email account nor the actual or attempted misuse of data.
ELARC implemented additional technical safety measures to further improve the security of sensitive data and offered to the affected persons 12 months of free credit monitoring services via Kroll.
4,450 Mercy Grace Private Practice Patients Notified Concerning Data Breach
On August 30, 2021, Mercy Grace Private Practice based in Gilbert, AZ sent notifications to 4,450 patients regarding a business email compromise attack that occurred in December 2020, which involved a fake wire transfer.
The practice engaged a third-party computer forensics company to conduct a detailed analysis of all its email environments. According to the investigation, two email accounts of employees were breached.
An analysis of the two email accounts affirmed the inclusion of patient information like names, driver’s license numbers, Social Security numbers, state ID numbers, financial account data, and limited health data. The objective of the attack seems to have been to scam the practice instead of getting hold of patient information. Mercy Grace Private Practice is not aware of any actual or attempted improper use of patient information due to the security breach.
Because of the breach, the practice enhanced its security protocols and also provided additional cybersecurity training to employees.