Mount Sinai Hospital discovered the compromise of 33,730 patients’ protected health information (PHI) as a result of the American Medical Collection Agency (AMCA) cyberattack. This hospital is number 24 in the list of AMCA breach victims, which has impacted nearly 25 million individuals.
On June 4, 2019, AMCA informed Mount Sinai Hospital about the unauthorized access of a web payment site containing the protected health information (PHI) of its clients’ patients. The compromise of the web portal started on August 1, 2018 and continued until March 30, 2019 when it was discovered. Right away, AMCA took the required action to secure the web page.
The patients affected by the breach included only those who had outstanding medical bills and whose information was been provided to AMCA for collection. The information included the patients’ names, name of laboratory or healthcare service provider, dates of service, name of referring doctor, health insurance details, and other medical data associated with the services Mount Sinai Hospital provided.
The financial information of some patients was also exposed. AMCA notified those people directly and offered them credit monitoring services. Mount Sinai Hospital notified all other affected individuals.
Phishing Attack on Navicent Health
Navicent Health based in Macon, GA is sending breach notifications to around 1,400 patients regarding the exposure of some of their protected health information (PHI) due to a phishing attack.
Navicent Health found out on June 24, 2019 that the response of an employee to a phishing email led to the compromise of his/her email account. Potentially compromised information included patient names, telephone numbers, addresses, medical data, insurance details, bank account data, Social Security numbers, and other personal data.
This incident at Navicent Health is not the first phishing attack this year. Last March, a phishing attack on the healthcare company caused the compromise of PHI of 278,016 patients. The breach happened in July 2018, but the PHI breach was only confirmed on January 24, 2019.