Phishing Attack on California Business Associate Compromised PHI of 14,591 DHS Patients

Nemadji Research Corporation, doing business under the name of California Reimbursement Enterprises, released information regarding the unauthorized person who accessed the email account of an employee. There is potential exposure of the protected health information (PHI) of the corporation’s clients.

California Reimbursement Enterprises is a business associate offering patient eligibility and billing services to many healthcare facilities and hospitals located in California. The corporation is likewise a service provider to Los Angeles County Department of Health Services (DHS).

On March 28, 2019, an IT personnel spotted peculiar activity in one employee’s email account. Thus, the potential email account breach was identified. A third-party computer forensics professional helped in investigating the breach. Nemadji affirmed the access of the email account by the attacker a couple of hours after the employee’s response to the phishing email.

On June 5, 2019, the investigation of all communications in the email account led to the conclusion that patient information was exposed. Nemadji notified all business partners affected by the breach.

California Reimbursement Enterprises corresponded with DHS using the breached email account regarding the services it offered. Some email messages contained PHI. On June 26, 2019, Nemadji advised DHS regarding the breach and reported that there were 14,591 DHS patients affected.

The potentially breached data included names together with one or more information such as address, birth date, phone number, patient account number, medical record number, Medi-Cal ID number, dates of admission and discharge, month and year of service. Additional information exposed included the four patients’ diagnostic codes and two patients’ Social Security numbers.

The affected patients received breach notification on July 8, 2019 and offers of credit monitoring and identity theft protection services for free.

Nemadji likewise evaluated its cybersecurity protection and added more security measures to lessen the risk of other breaches. Employees got further HIPAA training, while the IT team upgraded its email security protection.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at