Phishing Attacks at LifeSprk, University of Utah Health and Oregon DHS Impacts Patients’ PHI

LifeSprk, a provider of senior care based in Minnesota, is mailing notification letters to 9,000 of its clients about the potential exposure of their protected health information (PHI) as a consequence of a phishing attack last November 2019.

Lifesprk found out on January 17, 2020 about the unauthorized access of an employee’s email account. After securing the email account, a third-party cybersecurity firm led the investigation of the breach. It was confirmed that the email accounts of some employees were compromised starting November 5 until November 7, 2019.

The compromised information for most of the affected persons included their names, medical insurance info, medical record numbers, and some health information. A number of patients also had some of their financial information and/or Social Security numbers exposed.

The breach investigation is not yet finished. To date, no data theft or misuse was reported.

The breach notification letters were mailed to affected patients starting March 17, 2020. The delay was due to the outstanding things that should be done to contend with the COVID-19 pandemic. Lifesprk provided credit monitoring and identity theft protection services for free to those who had their Social Security numbers compromised. Currently, Lifesprk is making improvements to its email security. Employees will also be trained to reinforce awareness of phishing emails.

Patients’ PHI Breach at University of Utah Health

The University of Utah Health announced the unauthorized access of the email accounts of a number of its employees starting January 7 until February 21, 2020. Patients’ PHI might have been accessed.

The University of Utah Health learned on February 3, 2020 about the malware installed on an employee’s workstation that potentially allowed unauthorized people to gain access to patients’ PHI.

The compromised email accounts contained PHI including names, birth dates, medical record numbers, and some clinical information relating to the medical services provided by the University of Utah Health.

The University of Utah Health had sent notifications to the affected patients, checked the security measures and made essential revisions, and will give the employees further security training.

There is no exact information yet about the number of patients impacted by the breach at this time.

Oregon Department of Human Services Spear Phishing Attack

The Oregon Department of Human Services learned that an unauthorized individual had accessed an employee’s email account after the employee responded to a spear-phishing email.

Because of the available information technology security control, the compromised email account was detected quickly. Hence, the chances of data theft was unlikely. The Oregon DHS discovered the breach incident on March 6, 2020 and properly secured the account immediately. A third-party company will provide support in investigating the breach to determine which data was compromised and which individuals were impacted. The affected individuals will receive notifications soon.

At present, there is no confirmation that attackers accessed, duplicated or misused any sensitive information; even so, the Oregon DHS will provide all affected clients with identity theft protection services.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at