Conway Medical Center and Equinox Inc. Report Email Security Breaches

The email accounts of several staff members of Conway Medical Center in South Carolina have been obtained by unauthorized persons.

The phishing attack was first discovered on October 7, 2019 and impacted email accounts were immediately secured to stop additional unauthorized access. External cybersecurity experts were engaged to review the breach and determine whether patient information had been viewed or downloaded. The investigators found that the first email accounts were compromised in or before July 2019.

It was not until November 20, 2019 that the investigators confirmed that the protected health information of patients had been exposed as each email had to be checked to determine whether it contained PHI and if it had been obtained or viewed. That was largely a manual task.

The way the email accounts were accessed meant emails may have synchronized with the hacker’s computer and could have been automatically obtained.

Those emails included names, addresses, Social Security numbers, birth dates, phone contact numbers, dates of admission, discharge dates, CMC account numbers, monies owed, and other data. For certain patients, the names, addresses, phone numbers, Social Security numbers, place of employment, and other details relating to their guarantors was also possibly obtained.

Steps have now been taken to strengthen email security and notification letters have been mailed to affected patients. Individuals whose financial data has been exposed have been offered complimentary identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 2,550 patients have been affected by the security breach.

1,021 Account Holders at Equinox, Inc. Warned of PHI Exposure

Equinox, Inc., an Albany, NY-based supplier of services to people suffering from chemical dependency, mental health problems, and domestic abuse survivors, has discovered the email accounts of two of its employees have been accessed by unauthorized people.

The data security breach was found on July 26, 2019 when suspicious activity was discovered in its digital environment. Its systems were swiftly secured and third-party cybersecurity experts were engaged to look into the breach. Equinox was advised on August 28, 2019 that two email accounts had been accessed by unauthorized people.

The impacted email accounts were then reviewed to determine whether they included any patient data. Equinox was made aware on October 9, 2019 that the protected health information of 1,021 current and former clients had potentially been obtained. The email accounts included names, addresses, Social Security numbers, dates of birth, medical treatment or diagnosis details, health insurance information, and/or medication-related data.

No proof was found to suggest information in emails and attachments was seen or taken and no reports have been received to indicate clients’ information has been improperly used.

Affected individuals were contact to make them aware of the breach on December 6, 2019 and have been offered free credit monitoring and identity theft protection services. Additional security features have been implemented to stop additional breaches of this nature going forward.