PHI of 1,080 Chaplaincy Health Care Patients Potentially Exposed Due to Phishing Attack


A phishing attack on Chaplaincy Health Care, a not-for-profit healthcare provider located in Richland, WA caused the exposure of the protected health information (PHI) of 1,080 patients. The phishing attack happened on November 20, 2018 and it was quickly identified within 4 hours. Chaplaincy Health care immediately took action to prevent unauthorized access.

A third-party computer forensics company assisted with the investigation of the breach and confirmed that the attacker accessed just one email account. Right after accessing that email account, the attacker tried to gain access to other accounts. Because the employee received an alert that her account was used for sending a phishing email, the breach was discovered.

No proof was found that indicate the viewing or copying of any patient health data, but as a precaution, Chaplaincy Health Care offered all patients affected by the breach free credit monitoring and identity theft protection services via LifeLock for one year. Patients received breach notifications on January 3, 2019.

The company investigating the data breach came to the conclusion that the main goal of the phishing attack was to have many email accounts compromised instead of accessing sensitive data, even though it wasn’t possible to find out if any email messages in the compromised account were accessed.

The information contained in the compromised email account included full names, birth dates, home addresses, medical record numbers, dates of service, prescription data and the last four numbers of Social Security numbers.

Chaplaincy Health Care seriously apologized for the difficulty and the problem caused by this incident. It treats information security with great importance and will continue to strengthen its operational protections for the sake of patients and their families.

As a response to the breach, the email accounts of Chaplaincy Health Care were integrated with two-factor authentication. Employees also received further training on keeping sensitive patient data secure.