A data security breach took place at Confluence Health, which is a non-profit health system operating Wenatchee Valley Hospital, Central Washington Hospital and other satellite clinics in North and Central Washington. The breach involved the email account of an employee resulting in the access of patients’ protected health information (PHI) by unauthorized individual. When the security breach was discovered on May 29, 2018, a digital forensics company investigated the breach and learned that an unauthorized person accessed an employee’s email account on May 28 and May 30.
There was only a limited amount of PHI contained in the email account. No financial information, Social Security numbers or other sensitive data is included. The names and treatment details of patients impacted by the breach were exposed.
According to Confluence Health, there are security solutions in place in their facilities to stop unauthorized system access. The staff also had been given security awareness training. But the attacker was able to bypass all those security measures.
Although an unauthorized person could have accessed the PHI, the investigators did not find any evidence that the PHI was stolen. Additionally, Confluence Health did not receive any reports that indicate PHI misuse.
Confluence Health already sent notification letters by mail to the affected patients. Additional measures had been implemented to enhance systems security and to detect more rapidly suspicious email or network activity. Confluence Health also reported the breach to the Department of Health and Human Services Office for Civil Rights. But OCR has not publicly disclosed the number of patients affected by the incident.
This phishing attack is the latest of several attacks on several healthcare companies. The past two months, phishing attacks happened at Sunspire Health in New Jersey, Terteling Co. Inc, Group Benefit Plan in Idaho, Alive Hospice in Tennessee, and Boys Town National Research Hospital.