A phishing attack at Salem Health Hospitals & Clinics, Oregon on July 31, 2019 resulted in the access of some employees’ email accounts by an unauthorized person. The healthcare provider detected the breach within a day of the account access and secured the compromised accounts.
Patients received notification concerning the breach on September 27. They were also informed that the affected accounts are under review. It is believed that the compromised email accounts contained a minimal amount of patient data which includes names, birth dates, and data associated with the healthcare services that the patients received. During the issuance of the notice, there was already ongoing investigation of the breach.
On November 7, 2019, Spokesman of Salem Health, Elijah Penner, said that after reviewing the incident, there was no indication of misuse of any patient data. There’s no evidence that showed the attacker accessed the patient data contained in email messages and attachments.
Salem Health informed the patients affected by the breach to take care and keep track of their statement of accounts and explanation of benefits statements for indications of fraudulent transactions. Salem Health is enhancing email security and reinforcing employee HIPAA training to help them identify and steer clear of malicious emails later on.
The HHS’ Office for Civil Rights has not yet published the breach on its breach portal and so the exact number of affected patients is currently uncertain.
Phishing Attack on Delta Dental of Arizona in July
An email security breach encountered by Delta Dental of Arizona led to the exposure of information of plan members. Delta Dental detected the security breach on July 8, 2019 after detecting suspicious activity in the email account of an employee.
The attacker utilized the credentials of the employee to gain access to the email account. The substitute breach notice on Delta Dental’s webpage stated that it took a lengthy and labor-intensive process to know which members had their information compromised.
Delta Dental of Arizona released a report on November 8, 2019 verifying the investigation that no evidence was found regarding unauthorized data access, though unauthorized data access cannot be ruled out. As a result, the provider notified the affected members as a precaution.
The compromised information contained in the email account included names, addresses, birth dates, member ID numbers, driver’s license numbers, Social Security numbers, passport numbers, financial data, credit/debit card numbers, usernames/passwords, digital signatures and dental insurance details.
The HHS’ Office for Civil Rights has not yet listed the incident on its breach portal. Hence, the exact number of members affected by the breach is still unknown.