Potential Exposure of 8,600 Patients’ PHI Due to Three Email Hacking Incidents

Three breaches involving patients’ protected health information (PHI) due to email hacking were reported. The three hacking incidents affected a total of 8,635 patients.

The first breach happened in the Center for Sight and Hearing based in Rockford, IL. An unauthorized individual gained access to an employee’s email account containing 5,319 patients’ PHI. The breach was discovered on January 23, 2019 but it occurred on January 18.

A computer forensics company investigated the incident and affirmed on February 21, 2019 that information including names, addresses, and details of patient schedule were found in the hacked email account. To secure Center for Sight and Hearing, multi-factor authentication and an upgraded password management system were implemented.

The second breach happened in Harbor Behavioral Health, which is a counselling and mental health treatment centers network in Northwest Ohio. The access of an employee’s email account by the hacker was discovered on February 13, 2019.

Investigators learned that the unauthorized person accessed the account for three months starting December 2018 until February 2019 resulting to the compromise of another email account.

Harbor Behavioral Health immediately terminated the unauthorized account access, secured the accounts and analyzed the information contained in them. Analysis revealed that the accounts contained names, birth dates, medical insurance data, and information about Harbor’s services. A number of patients’ also had their Social Security numbers and driver’s license numbers exposed. The PHI of 2,290 patients were impacted.

Harbor Behavioral Health patients whose Social Security number or driver’s license number were compromised got free offers of credit monitoring and identity theft protection services . Furthermore, there were extra security controls implemented to prevent unauthorized access from external IP addresses. Log reviews and automated notifications were also improved. Employees received further HIPAA training on identifying and preventing phishing emails.

The third incident involved hacking of a Dakota County employee’s email account which potentially impacted 1,026 people. The county learned about the breach on February 13, 2019 and made the account secure quickly.

To secure the accounts against unauthorized access, all email accounts of employees were covered by a forced password reset, though the investigation results stated that only one email account was affected by the breach. Third-party cybersecurity professionals investigated and confirmed the breach of the account, but there’s no confirmation whether the hacker viewed or accessed any email.

Dakota County Social Services information including names, addresses, healthcare insurance information, healthcare histories, diagnoses, treatment data, driver’s license numbers, and Social Security numbers, were contained in the breached account.

Affected people were given free identity protection services. Dakota County sent breach notification letters on April 12, 2019 and improved its email system to block other cyberattacks.

About Christine Garcia 1288 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA