Email Account Breaches at Three HIPAA Entities Expose PHI of 40,000 People

The protected health information (PHI) of 40,000 people has been exposed following a recent cyberattacks on three separate healthcare providers which focused on employee email accounts.

The attacks were as follows:

1. Boulder Neurosurgical and Spine Associates

it was discovered that a corporate email account was breached on September 21, 2021. Once the breach was identified swift measures were put in place to disable any unauthorized access to the email account in question secured. An external cybersecurity firm was hired to help with the internal review of the breach to ascertain what took place.

following completion of the review, it was deduced that some of the accessed emails and attachments included PHI. However, it could be be confirmed if this PHI has been viewed or obtained by anyone who did not have permission to do so. The range of data that was accessible during the breach includes names, dates of birth, and medical histories, but no addresses or Social Security data was breached. HHS’ Office for Civil Rights has been informed that 21,450 individuals had their PHI impacted in the breach.

2. Region IV Area Agency on Aging

During the time period around September 30 last year, Region IV Area Agency on Aging in Michigan (AAA4) identified a data breach on its databases that involved an unauthorized individual illegally accessing the email account of one of its employees following the receipt of a phishing email. The phishing email was sent in an attempt to have the employee’s paychecks diverted.

At present it seems to be the case that having the funds transferred was the sole aim of the attack, the email account that was breached held the PHI of 3,171 individuals and included names, addresses, dates of birth, social security information, insurance details, phone contact details and medical records.

AAA4 has not uncovered any proof of PHI had being downloaded or improperly used, but all those impacted in the breach have been warned to be cautious in relation their accounts and explanation of benefits statements for suspicious activity. AAA4 said it has moved to implement new measures to avoid additional phishing-related breached , including providing additional training to staff members.

3. Saltzer Health

Saltzer Health in Idaho has discovered that its email servers were illegally accessed on June 1, 2021. The group moved swiftly to stop additional unauthorized access, with the subsequent investigation showing that an unauthorized person had logged onto the account between May 25, 2021, and June 1, 2021. It was not possible to confirm if any PHI was accessed or stolen, but an in-depth review of the account by external cybersecurity experts deduced that it included the PHI of 15,650 clients.

The investigation came to an end on September 21, 2021, and showed that the following range of data was breached: names, contact information, medical record details, patient identification information, driver’s license/state identification numbers, medical records, diagnoses, treatment details, physician notes, prescriptions, health insurance info, and a small amount of Social Security numbers and financial account information. All affected individuals have now been made aware of the breach.