Phishing Attack on People Inc. and OS Inc. Impact Patient PHI

People Inc. is a non-profit health and human services firm located in Western New York providing services to elderly people and people with developmental disabilities. A phishing attack on the organization affected roughly 1,000 persons.

The incident was investigated on February 19, 2019 after the organization discovered the unauthorized access of its systems. The forensic team confirmed that an unauthorized person was able to access the email accounts of two employee after responding to phishing emails.

The compromised accounts contained emails and attachments with protected health information (PHI) such as names, addresses, insurance data, driver’s license numbers, Social Security numbers, government ID numbers, healthcare data and financial data. At this point, there is no information received about the misuse of any patient information.

People Inc. is providing affected persons with free credit monitoring services for 12 months. People Inc will notify the HHS after receiving confirmation of the exact number of people affected. The organization already notified the FBI regarding the breach.

Columbus Community Hospital established in Columbus, WI notified certain patients regarding the compromise of some of their PHI because its business associate, OS Inc, encountered a phishing attack.

On April 8, 2019, OS Inc, Columbus Community Hospital’s claims management service provider, reported the unauthorized access of its employee’s email account potentially resulting to viewing of patient data.

The email account in question contained data such as names, insurance provider names, summaries of charges, hospital account numbers, and types of service. Some patients also had their insurance ID number and/or Social Security numbers exposed. Investigators did not get any proof of data access, theft or misuse as of yet.

OS Inc is also a service provider for other hospitals but there is no report about other hospitals or patients impacted by the data breach. The incident is not yet posted on the HHS’ Office for Civil Rights website as the exact number of affected persons is not yet known.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at