MedSpring Urgent Care Breach Potentially Exposes 13,000 Patients’ PHI


MedSpring Urgent Care is a group of critical care clinics established in Atlanta, Austin, Chicago, Fort Worth, Dallas, and Houston, which identified an unauthorized individual acquired access to an email account as a consequence of an employee being misled by a phishing scam.

The email account was hacked on May 8, 2018 nevertheless MedSpring Urgent Care discovered the security breach just on May 17. After finding out about the breach, the email account had been secured to keep the hacker from getting into the account. A top rated cybersecurity forensics agency was called in to do an investigation of the breach and help with resolution of the breach.

MedSpring learned on May 22, 2018 that the hacker likely gained control of the protected health information (PHI) of patients contained in the email messages and message attachments. The breach was confined to just one employee’s email account. Other parts of the system were not jeopardized.

The investigators performed a complete evaluation of all communications in the account to find out which patients were impacted and what types of data were compromised. MedSpring claims the breach was restricted to patients who in the past went to its urgent care centers in Illinois.

The email account comprised patient data like names, healthcare record numbers, service dates, account numbers, and other data linked to the medical services given to patients. The investigation was not able to see any proof to imply that account emails were accessed and MedSpring hasn’t been advised about any incidents of wrong use of patient data so far.

All patients most likely impacted by the phishing email attack were already informed through mail and were provided one year of no charge identity protection, credit monitoring and fraud resolution services from Experian.

As is mandatory under HIPAA Rules, MedSpring Urgent Care advised the Department of Health and Human Services’ Office for Civil Rights concerning the data breach. The submitted report shows there were 13,034 patients impacted.