Hopebridge (IN) and United Methodist Homes (NY) Reported Email Security Breaches

Hopebridge is a network of 28 autism treatment centers located all over the Midwest. It experienced a phishing attack, which potentially resulted in the access of its patients’ protected health information (PHI) by an unauthorized individual.

Hopebridge detected the security breach on July 19, 2018 and called in a third-party computer forensics company to investigate the nature and extent of the breach. At the same time, all accounts and systems were blocked to prevent the attacker from further access.

According to the investigation results, phishing emails were sent to several employees from March to July 2018. A number of employees’ responded to those emails and compromised their email accounts. A limited quantity of the patients’ PHI including names, the Hopebridge services they received and autism diagnosis were found in the email accounts. The forensic investigators also found out that the attacker was not interested in gaining access to PHI. The attack seem to be simply an attempt to access the financial information of employees.

Hopebridge submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that 1,411 patients were potentially impacted by the phishing attack. So far, no report has been received that patient information was misused. Because of the breach, Hopebridge implemented stricter access controls, 2-factor authentication on email accounts and IP address whitelisting. In addition, internal emails and reports that contain patient names are now being masked.

Another data breach occurred involving the United Methodist Homes’ network of Independent and Assisted Living facilities for seniors located in New York. It was discovered that a former employee stole the protected health information (PHI) of 843 past and present residents of its Elizabeth Church and Hilltop campuses.

The information was contained in a spreadsheet, which was sent to the employee’s personal email account. The information included the names of residents, addresses, telephone numbers of the residents’ contact person(s) and the relationship of the contact persons to the residents. No financial information, patient data, health insurance data, Social Security numbers or other highly sensitive data were stolen.

United Methodist Homes discovered the incident on July 13, 2018 and questioned the employee. After this, the employee deleted the email and the spreadsheet from his email account, United Methodist Homes decided to dismiss the individual. The individuals affected by the breach were offered free credit monitoring services for one year by the United Methodist Homes.