PHI Exposed in FHN and Elkins Rehabilitation & Care Center Phishing Attacks

The healthcare system FHN based in Freeport, IL is sending notifications to some patients that an unauthorized individual has potentially accessed several employees’ email accounts from February 12 to February 13, 2020 resulting in the potential compromise of some of their protected health information (PHI).

FHN reported on April 20, 2020 that according to the investigation, a breach is confirmed to have happened, however knowing which information may have been viewed or obtained took time. It was not possible to identify whether someone viewed or obtained patient information stored in the accounts, although data access could not be dismissed. FHN sent notifications to the affected people on July 31, 2020.

The compromised accounts comprised information such as names, dates of birth, health insurance information, patient account numbers, medical record numbers, and limited clinical and/or treatment data, such as names of provider, diagnoses, and medication details. The Social Security numbers and driver’s license numbers of some patients were also possibly compromised.

Complimentary credit monitoring and identity protection services were offered to persons who had their drivers’ license numbers and/or Social Security numbers exposed.

FHN has given additional HIPAA compliance training to its workers to help them in identifying and avoiding suspicious emails. The system also took steps to reinforce email security, such as the use of 2-factor authentication.

Elkins Rehabilitation & Care Center Email Security Incident Impacts 3,127 Patients

In February 2019, Elkins Rehabilitation & Care Center (ERCC) based in West Virginia became aware that unauthorized individuals had obtained access to some employees’ email accounts. The IT security team did an internal investigation, which revealed several computer systems were installed with malware from February 4, 2019 to February 7, 2019. The IT security team worked quickly to find and take away the malware, and a complete password reset was done on all email accounts. As soon as ERCC knew that the malware could exfiltrating emails, an e-discovery professional was called in to evaluate all emails in the account to determine if the attackers stole any information.

ERCC finished the analysis of the accounts on July 1, 2020 and sent notification letters to all affected persons. The breached accounts included the personal data and protected health information of present and former residents and workers which consist of first and last names, some protected health information, Social Security numbers, and/or driver’s license numbers. Affected individuals received complimentary identity theft restoration and credit monitoring services.

Steps were done to avoid other breaches later on, such as the substitution of hard drives on computers corrupted with the malware and the installation of another antivirus and antimalware solutions on all computers. Employees also received more security awareness training.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at