A HIPAA business associate from Madison Heights, MI, Northwood Inc., reported hacking of one of its employee’s email account and potential viewing or acquisition of sensitive patient information.
Northwood Inc knew about the breach on May 6, 2019 as it looked into suspicious activity in the email account of an employee. As soon as the breach was confirmed to have occurred, a computer forensics expert scrutinized the incident to find out the nature and scope of the breach.
The forensic investigation results showed the access of the employee’s email account by an unauthorized individual(s) beginning May 3 up to May 6. Even if no evidence was found regarding the viewing or copying of email messages, the possibility of data access or theft can’t be ruled out.
On June 19, the concluded review of all the email messages and attachments contained in the account confirmed that patients’ protected health information (PHI) was exposed. The following information were compromised: a patient’s name combined with at least one of these data elements: birth date, address, patient ID number, health record number, dates of service, name of provider, diagnosis and diagnosis codes, description of medical equipment, treatment information, and health plan membership number. Some patients’ driver’s license number, health insurance provider name and Social Security number were also compromised.
The affected patients received durable medical devices or management services from Northwood. The compromised email account contained details of the healthcare providers’ exclusion standing with the CMS.
When Northwood learned about the breach, it deactivated the compromised account. All employees’ email account passwords were forced reset as a security measure. Employees underwent extra HIPAA training on discovering email threats. The company’s email security was upgraded. All patients affected by the breach have received notifications by mail and had offers of complimentary credit monitoring services.
Northwood’s breach reports filed with the Department of Health and Human Services’ Office for Civil Rights were for four separate incidents with the following number of patients affected, 5000, 5563, 3881 and 583, totaling 15,027 patients.