Sutter Health’s Business Associate Experienced a Phishing Incident

The legal firm Salem and Green, a business associate of Sutter Health, had a phishing attack resulting in exposure of the protected health information of certain patients. A staff of Salem and Green received a phishing email some time on October 11, 2017. Because he/she responded to the phishing email, the attacker got access to his/her email account. When Salem and Green discovered the attack, a forensics firm was asked to analyze the affected computer and network. The investigators came to determine the severity of the attack and the type of sensitive information obtained by the attacker.

After the investigation, it was determined that the security breach was restricted to just one email account. When the hacker accessed the email account for two days, the protected health information of some Sutter Health patients contained in the account was compromised. The potentially exposed information included the patients’ names, birth dates, Social Security numbers, driver’s license numbers and other professional ID numbers.

Sutter Health cannot confirm 100% that data was accessed and sensitive information was exposed. But there’s a possibility that these things happened. Although Sutter Health would like to believe that the risk of misusing PHI is rather low.

Sutter Health already sent notification to the affected patients. To further protect them from the breach, Sutter Health offered them free credit monitoring and identity theft protection services for one year. Aside from this, Salem and Green enhanced data security to prevent similar breaches from happening again. To access an email account, there’s a 2-factor authentication. This extra layer of protection can dissuade hackers from trying to access the accounts. Employees also received additional security awareness training so that they can tell when email threats like phishing happen.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at