A phishing attack on Solara Medical Supplies, LLC in Chula Vista, CA, resulted in the potential compromise of the protected health information (PHI) of a lot of its customers.
Solara Medical discovered suspicious activity in an employee’s email account on June 28, 2019 and launched an investigation to find out the nature and extent of the breach. Third-party computer forensics experts assisted Solara Medical with the investigation and found out that the breach was much more extensive. A number of Office 365 email accounts were compromised from April 2, 2019 to June 20, 2019.
All compromised accounts underwent a programmatic and manual assessment to know which patients had their PHI potentially accessed. The email accounts contained information that varied from one patient to another. The information included the first and last names of the patient combined with at least one of the following data elements: birth date, address, Social Security number, employee ID number, medical insurance details, financial data, credit card/debit card number, passport information, driver’s license number, state ID number, password/PIN or account login details, Medicare/Medicaid ID, claims information, and billing data.
Solara Medical quickly secured the compromised accounts after discovering the breach and enforced further security controls to enhance email security. People impacted by the breach received notifications and complimentary offers of one-year credit monitoring and identity theft protection services as safety precautions.
The Department of Health and Human Services’ Office for Civil Rights already received the breach report, but there is no published information yet on the OCR breach portal about the incident yet. Thus, the number of people affected by the breach is currently unknown.
Phishing Attack on Select Health Network
A phishing attack on Select Health Network in Mishawaka, IN resulted in the potential compromise of the PHI of some individuals.
The physician hospital organization detected suspicious activity in some employees’ email accounts and had a squad of computer forensics experts investigate the potential breach. The investigation showed a number of email accounts compromised from May 22, 2019 to June 13, 2019.
The audit findings of the compromised email accounts obtained by Select Health Network on October 1, 2019 confirmed the compromise of a broad range of PHI contained in the accounts.
The exposed information differed from one person to another and included the first and last names of patients along with at least one of the following data: address, birth date, member id number, medical insurance details, medical history, treating/referring doctor’s name, treatment details, treatment expense, medical insurance policy number, and medical record number. The Social Security number of some people was likewise exposed.
Select Health Network has no knowledge of patient information misuse resulting from the breach. People whose Social Security numbers were exposed received offers of one-year free credit monitoring and identity theft protection services.
Select Health Network reviewed its policies and procedures and implemented extra safety measures to strengthen email security and avoid other attacks of this kind.