Two Phishing Attacks on Hospitals Impact Over 15,000 Patients

A phishing attack on Artesia General Hospital in Artesia, NM resulted to the compromise of 13,905 patients’ protected health information (PHI).

The hospital detected the breach on June 18, 2019 when it was discovered that the email account of an employee was used to send unauthorized email messages. Forensic analysis of the breach revealed that an unauthorized person accessed the account from June 11 to June 18.

A top-rated computer forensics firm investigated the breach but found no proof of stolen data. Up to now, there was no report regarding the misuse or theft of PHI.

The following information were included in email accounts: names of patients, dates of birth, patient account numbers, healthcare record numbers, health insurance details, and a few treatments and/or clinical data, for instance, diagnoses, dates of service, and names of the provider. The Social Security numbers of some patients were also exposed.

The hospital has improved its HIPAA security awareness training and implemented more effective email security. Free credit monitoring and identity theft protection services were also offered to patients whose Social Security numbers were exposed.

1,653 Patients of Phishing Attack on Carle Foundation Hospital

A phishing attack on Carle Foundation Hospital in Urbana, IL resulted in the compromise of the email accounts of three doctors.

The hospital detected the security breach on June 24, 2019 and initiated an investigation. According to the investigation findings, the email accounts had been breached three weeks prior to June 3, 2019. With the help of a third-party cybersecurity firm, the hospital learned that patient names, dates of birth, medical record numbers, diagnoses, treatment coverage, and clinical data were exposed. The breach affected patients who obtained cardiology or surgery assistance at the hospital.

Though there was no proof of PHI theft or misuse, the hospital sent notifications to the affected persons. To avert any more incidents, employees will undergo retraining and email security will be upgraded.

About Christine Garcia 1303 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at