Loudoun Medical Group, also called the Comprehensive Sleep Care Center (CSCC), had a phishing attack some time on June 19, 2019.
The IT department was cautioned regarding a potential email security breach upon detecting suspicious activity in the email account of an employee. The password was instantly altered to avoid further unauthorized access. Forensic investigators looked into the incident and confirmed that the breach was restricted to only one email account, which an unauthorized individual accessed between June 15, 2019 and June 19, 2019.
On October 17, 2019, the investigators had identified which patients had their information accessed. The email account contained varying information for each patient, but may have included the name of patients and one or more of these data elements: birth date, Social Security number, passport number, driver’s license number, medical record number, payment card information, financial account information, patient account number, medical history, health insurance information, treatment data and/or date(s) of service.
CSCC implemented extra security controls to stop other email security breaches and provided the affected persons the information on minimizing their risk of PHI misuse. Thus far, there is no evidence that patient information was actually misused.
Phishing Attack Impacts McLaren Health Plan
McLaren Health Plan located in Flint, MI found out that unauthorized persons potentially accessed some of its members’ protected health information (PHI) because of a phishing attack on its business associate, Magellan Rx Management. This business associate provided services to McLaren Health Plan until December 31, 2018.
On November 27, 2019, Magellan Health reported that its subsidiary, Magellan Rx Management, had a phishing attack on May 28, 2019. Magellan Rx learned about the attack on July 5, 2019 and started a detailed investigation to know the scope of the breach. The investigators affirmed that the breach was restricted to just one email account, which contained the PHI of several McLaren Health Plan members including names, date of birth, health plan name, provider, health plan member ID numbers, diagnosis, medication, and authorization data. McLaren Health plan became aware of the security breach on October 4, 2019.
It seems that the intention of the attack was to employ the email account for sending spam. No proof of data access or misuse was found. Since the breach, Magellan Health has improved email security and is HIPAA training employees to assist them in identifying malicious emails later on.