Potential Exposure of Patient PHI in Metrocare Services and Summit Medical Group Data Breaches


A phishing attack on Metrocare Services, the biggest mental health services provider in North Texas, resulted in the compromise of the protected health information (PHI) of 1,804 patients. A number of email accounts of employees were compromised during the phishing attack and the first breach of account occurred on August 2, 2018. Metrocare only became aware of the phishing attacks on September 4.

When Metrocare Services discovered the breach, the compromised accounts were immediately secured. Employees were provided additional training about information security. Extra control measures were introduced to enhance the protection of its information technology infrastructure. Email security was also toughened.

The breach investigators cannot ascertain if the attackers accessed any email that contain patients’ protected health information (PHI). However, they also couldn’t rule out data access even if there was no report received indicating the misuse of any PHI.

The types of patient information exposed included names, birth dates, driver’s license numbers, medical insurance details, information about the services obtained from Metrocare and Social Security numbers, but they vary from patient to patient.

Metrocare began sending notification letters by mail to the affected patients on November 1. Metrocare offered One year of complimentary credit monitoring and identity protection services to the patients whose Social Security numbers were possibly compromised and advised all affected patients to monitor their Explanation of Benefits statements in case they see transactions of healthcare services that they have not received or were not authorized.

Summit Medical Group likewise notified some of its patients about the potential compromise of their PHI. Apparently, the notebook of a medical assistant in the Berkeley Heights dermatology office of Summit Medical Group, which contained some patients’ PHI, was found missing on September 5, 2018. A search for the missing notebook was conducted, but the lost item was not found. Summit Medical Group interviewed employees and reviewed the security camera footage, but there was no evidence of theft uncovered.

The notebook was solely used in the dermatology office for writing notes on patients that the medical assistant saw since January 12, 2018. The recorded information in the notebook differed for each patient, which may include names, birth dates, addresses, phone numbers, Medicare IDs, medical insurance numbers and treatment details.

It’s possible that the notebook was stolen, so Summit Medical Group advised patients to keep track of their account and explanation of benefits statements for possible identity theft and fraudulent activities.