Health Plan of San Joaquin (HPSJ), which is a non-profit provider of Medi-Cal managed care located in French Camp, CA, found out that an unauthorized person has acquired access to its email system and possibly viewed or acquired sensitive information.
HPSJ suspected a potential email breach on or around October 12, 2020 upon identification of anomalous activity in its email system. The provider confirmed on October 23, 2020 that an unauthorized individual remotely accessed several employee email accounts. A password reset was carried out on all impacted email accounts to block further access by the hacker. The investigation established that the breach of email accounts happened from September 26, 2020 to October 12, 2020.
Subsequent to an email system breach, it is necessary to check all emails in the compromised accounts to find out if they consist of any sensitive information. That may be a process that is labor-intensive and time-consuming. In this instance, the procedure required a programmatic and meticulous manual examination, which confirmed that the breached email accounts included the protected health information (PHI) of 420,433 persons.
The delay in sending breach notification letters was because of the long time it required to confirm the inclusion of PHI in the email accounts, and the succeeding analysis of internal records to determine current contact details for those people in order to send the notification letters. That procedure has just recently been finished and the sending of breach notification letters to impacted people began on May 18, 2021.
The following types of PHI were included in the breached accounts: names, Social Security numbers, and addresses. Although there was confirmation of unauthorized email account access, there was no report received that indicates the misuse of any PHI; however, as a safety measure against identity theft and fraud, impacted people whose Social Security numbers were exposed received free membership to credit monitoring services via Equifax for 12 months.