PHI of 14,305 Main Line Endoscopy Centers Patients Exposed Due to a Phishing Attack


A phishing attack on Main Line Endoscopy Centers, a group of outpatient endoscopy facilities located in the Bala Cynwyd, Malvern and Media regions of Pennsylvania led to the access of its employee’s email account by an unauthorized individual. The breach occurred after the employee responded to a phishing email. The exact date when the breach of account occurred is not known but Main Line discovered it on January 30, 2019.

A prominent computer forensics company assisted with the breach investigation primarily to know if the unauthorized person opened any email messages in the employee’s email account and if any protected health information (PHI) was compromised. It was confirmed by the investigators that the attackers possibly accessed the PHI of some patients. The PHI included the following information: names, dates of birth, and minimal clinical data. The driver’s license number, Social Security number and/or health insurance details of some patients were also compromised.

Main Line already sent breach notification letters to all the patients impacted by the breach on March 29, 2019. But only those whose Social Security number or driver’s license number were exposed received free identity theft protection services for one year.

As a safety measure, all persons impacted by the breach need to keep track of their explanation of benefits statements, bank accounts and credit reports to see if there are possible fraudulent transactions.

Main Line has provided all employees additional training on email security awareness and the threat of phishing attacks to prevent further attacks. The facility also used multi-factor authentication to stop the access of accounts and the compromise of more credentials.

The Department of Health and Human Services’ Office for Civil Rights already received the report about the breach and already posted about the breach on its web portal indicating that the breach impacted about 14,305 patients.