Healthcare provider InterMed based in Portland, ME is notifying 33,000 patients about the potential compromise of some of their protected health information (PHI) as a result of a phishing attack.
InterMed detected the attack on September 6, 2019. It was confirmed by the investigators that the account was compromised on September 4. The attackers accessed the account until September 6, 2019.
A prominent national computer forensic firm investigated the breach and found three more email accounts were compromised from September 7 to September 10, 2019.
An extensive review of the affected email accounts was done however it was not possible to ascertain what emails or file attachments, the attackers had viewed.
Different patients had different types of information included in the compromised accounts. The following information may have been included: patients’ names, dates of birth, health insurance data, and some clinical data. The Social Security number of a “very limited” number of patients were also exposed.
On November 5, 2019, InterMed began the mailing of breach notification letters to affected patients. Patients who had their Social Security numbers exposed also received offers of free credit monitoring and identity protection services.
InterMed had already taken steps to improve email security and given more training to employees to ensure adherence to email security best practices.
Phishing Attack on Central Maine Orthopaedics
Central Maine Orthopaedics is associated with Spectrum Healthcare Partners. 11,308 of its patients are being informed about the potential exposure of some of PHI to an unauthorized person who accessed the email account of one employee.
On November 14, 2019, Spectrum Healthcare Partners found out about the unauthorized access and promptly kept the affected account secure. The investigation showed that the account breach happened on November 5, 2019. An analysis of the emails and file attachments in the account confirmed they inclusion of information such as the patients’ names, birth dates, addresses, medical insurance data, clinical and treatment details, and sums payable to Central Maine Orthopaedics.
Although it was affirmed that the attacker had remote access to the email account, there is no evidence that suggests the acquisition or misuse of patient information.
Impacted patients received notifications as a safety precaution on January 13, 2020 and were advised to keep track of their explanation of benefits and statements of account for any hint of bogus use of their data.
Spectrum Healthcare Partners reinforced its technical controls and will give employees a more intense security training.