PHI Exposed at Five Rivers Health Centers and Cancer Centers of Southwest Oklahoma Breaches

Five Rivers Health Centers located in Ohio has advised 155,748 patients regarding the unauthorized access to some of their protected health information (PHI) contained in email accounts as a consequence of a phishing attack.

There is no particular information when Five Rivers Health Centers found out about the breach, nevertheless as per reports, right after performing an extensive forensic analysis of the cyberattack plus a manual records audit, it learned on March 31, 2021, that the breached email accounts contained the personal data and health records of patients.

The forensic investigators confirmed that the email account breach happened between April 1, 2020 and June 2, 2020. The healthcare company sent breach notification letters to impacted people on May 28, 2021 after more than a year since the first email account breach occurred.

The types of information included in the breached emails and attachments varied from person to person and may have included one or more of the following data elements: name, birth date, address, medical record number, patient account number, diagnoses, clinical data, treatment details, test result information, lab test results, name of provider, cost of treatment, dates of service, prescription information, health insurance information, and Medicare or Medicaid numbers.

Some persons also had their driver’s license number, payment card numbers, financial account number, Social Security number and/or state identification number exposed. Those who had their Social Security numbers exposed received offers of one-year free membership to a credit monitoring service.

After the phishing attack, Five Rivers Health Centers re-assessed and revised its policies and procedures, put in place two-factor authentication, and gave additional training to employees regarding cybersecurity.

Breach Impacts 8,000 Cancer Centers of Southwest Oklahoma Patients

Cancer Centers of Southwest Oklahoma (CCSO) learned that a cyberattack early this year on one of its business associates, Elekta Inc, resulted in the potential exposure of its 8,000 patients’ PHI. Elekta Inc. is CCSO’s 1st generation cloud-based storage system provider.

Elekta hired third-party cybersecurity experts to check into the security breach and confirmed the breach on April 28, 2021. Breached systems included the PHI of CCSO patients. Though it cannot be known which data the hackers accessed or exfiltrated, Elekta regarded the incident as a breach since all system data was exposed. Elekta’s web-based storage system remained offline until the forensic investigation ended.

CCSO stated in its substitute breach notification that the data saved in the system and possibly viewed or stolen were the following: names, birth dates, addresses, Social Security numbers, weight, height, clinical diagnosis, medical treatment data and consultation certificates.

Elekta is giving identity monitoring, fraud assessment, and identity theft restoration services for free to affected people.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA