Sunrise Community Health based in Evans, CO discovered the compromise of several employees’ email accounts because its employees responded to phishing emails. Unauthorized individuals accessed the email accounts from September 11, 2019 to November 22, 2019.
On November 5, 2019, third party computer forensics experts helped Sunrise Community Health to determine the compromise of the protected health information (PHI) of certain patients contained in the email accounts. The compromised data of the patients varied from each other but may have included names, birth dates, Sunrise patient ID numbers, Sunrise provider names, dates of service, clinical tests performed, the results of those tests, diagnoses, medications, and names of health insurance providers.
Sunrise Community Health is convinced that the intention of the attack was not to acquire patient data. But, the risk of unauthorized access and theft of data can’t be ruled out. It seems like the attackers are targeting invoice and payroll data.
Though the investigation is still ongoing, breach notification letters were already sent to affected people. Sunrise Community Health is providing affected patients credit monitoring and identity theft restoration services for free.
Phishing Attack on Katherine Shaw Bethea Hospital
Katherine Shaw Bethea Hospital located in Dixon, IL found out that an unauthorized individual has accessed an employee’s email account and possibly got a spreadsheet that contains the PHI of 1,486 patients.
The spreadsheet contained the following information: names, dates of birth, contact numbers, medical insurance carrier names, diagnoses, and clinical details of patients below 18 years of age who went to the emergency department from November 1, 2018 to May 1, 2019.
Katherine Shaw Bethea Hospital has enforced further safety measures to enhance email security and all personnel were provided additional cybersecurity HIPAA training to identify phishing scams.
Improper Disclosure Incident in NYC Health + Hospitals
NYC Health + Hospitals is alerting patients who obtained treatment right after a motor vehicle accident regarding the impermissible disclosure of some of their PHI to third parties by an employee.
NYC Health + Hospitals was informed on October 3, 2019 regarding an employee who disclosed patient information to third parties like law agencies between 2016 and November 2019.
NYC Health + Hospitals is supposing that all individuals who acquired treatment at its hospitals and clinics subsequent to a motor vehicle accident might have been affected. The investigation is still ongoing and the employee concerned gotappropriate disciplinary action.