PHI Exposed Because of a Phishing Attack on Medford and Insider Breach at Penn Medicine


Medford Patients’ PHI Exposed

Medford, a Hematology Oncology Associates located in Oregon, had a phishing attack, which caused the email accounts of several Medford employees to be compromised. The first time an email account was breached happened on December 18, 2018. The attacker accessed the other accounts until February 22, 2019. Medford became aware of the breach only on March 19, 2018.

Investigating the breach were the hired third party computer forensics professionals. They could not say which emails and attached files were accessed by the attacker. But the investigators, which stopped working on April 20, confirmed that some email messages and attachments were compromised. The compromised information was found to contain patients’ protected health information (PHI).

To stop the attacker from accessing the accounts further, a password reset on all accounts was executed. Employees likewise had received additional training on security awareness.

Medford submitted the breach report to the HHS’ Office for Civil Rights and state attorneys general. Notifications letters were issued to the affected people. They were also offered free membership to Experian’s IdentityWorks credit monitoring and identity theft protection services. The number of affected individuals is still unknown at the moment.

Insider Breach at Penn Medicine

A medical assistant who previously worked at Penn Medicine got accused for accessing patient information without valid work reason and for misusing a patient’s information.

The medical assistant was employed at Penn Medicine via a staffing agency from February until April 2019. It was on April 29, 2019 that Penn Medicine discovered the employee’s unauthorized access of the patient data.

The employee probably accessed the patient data including names, demographic information, clinical details and Social Security numbers of certain patients. A total of 900 patient records were accessed by the ex-employee during his/her 3-months employment. Lauren Steinfeld, Penn Medicine spokesperson, issued a report confirming that one patient’s PHI was misused, though she did not say how it was misused.

Penn Medicine already sent privacy breach notifications to the 900 patients. A review of the hospital’s policy on hiring contractors through staffing agencies is pending. Action will be taken to ensure hired employees will stick to high professional standards.