Summa Health in Akron, Ohio discovered an unauthorized person had accessed four employee email accounts that contain the protected health information (PHI) of patients.
Summa Health knew about the breach on May 1, 2019 and started an investigation showing the breach of 2 email accounts in August 2018, and the breach of two more accounts from March 11, 2019 to March 29, 2019.
The four accounts were secured and then a third-party computer forensics company was hired to find out if there was actual access or theft of patient data. The company did not find any evidence that PHI was stolen or accessed, but the possibility that patient data was compromised cannot be ruled out.
After analyzing the compromised accounts, it was found that they included these types of PHI: the names of patients, birth dates, patient account numbers, medical record numbers, clinical data, and treatment details. The driver’s license numbers and/or Social Security numbers of a small part of those patients were also exposed. The total number of patients affected was 10,893.
Summa Health sent two breach reports to OCR on June 28, 2019. For the August and March attacks, the affected persons were 7,989 and 2,904 persons. The patients who had their Social Security number or driver’s license number exposed were offered free credit monitoring and identity protection services.
To prevent further breaches, Summa Health will give additional training to employees about privacy and security. Stronger email security controls will also be implemented.
Community Physicians Group Phishing Attack
The Community Physicians Group based in Siloam Springs, AR is notifying 5,400 of its patients about the exposure of their PHI due to a phishing attack.
The breach was discovered on April 24, 2019 when there was suspicious activity detected in an email account. Upon investigation of the incident, a malicious software was found to have been installed on February 19, 2019. This allowed the unauthorized access of the email account.
The email attachments of messages in the account contained PHI. There was limited information exposed including names, medical record numbers, dates of patient service, and a short explanation of the nature of consultation. No highly sensitive data like Social security numbers or financial data were exposed.
The IT team has removed the malware and improved the security using a new web-based anti- malware protection system.