Presbyterian Healthcare Services and Three Rivers Community Health Group Data Breaches Impact About 184,000 Patients


Presbyterian Healthcare Services in New Mexico is informing about 183,000 patients and health plan members about the exposure of some of their protected health information (PHI) as a result of a recent security breach.

A number of Presbyterian Healthcare Services employees got phishing emails some time on May 6, 2019. Some employees replied to the email messages and unintentionally shared their credentials to the attackers. The attackers used the credentials to access accounts that contain sensitive data including names, Social Security numbers and birth dates.

Presbyterian Healthcare Services knew about the breach on June 9 and promptly secured the compromised accounts. The breach investigators found no evidence of access or theft of any personal data by the attacker and there were no reports received that indicate the misuse of any PHI.

The breach impacted about 21% of all patients and plan members of Presbyterian Healthcare Services. Impacted people received offers for free credit monitoring and identity theft protection services for one year. They were also told to keep track of their accounts and explanation of benefits statements for any suspicious transaction.

Presbyterian Healthcare Services is improving its email security to avoid breaches of this nature from happening again.

Phishing Attack on Three Rivers Community Health Group

Perry County Medical Center, Inc. also called Three Rivers Community Health Group, discovered on May 28, 2019 that an unauthorized person accessed an employee’s email account and potentially viewed 3,812 patients’ data.

External computer experts conducted a forensic investigation and confirmed the unauthorized access of patient information including names, birth dates, dates of service, doctors’ names, prescription details, ID numbers and medical insurance group. The breach did not include financial data or Social Security numbers.

The investigators did not find any evidence of unauthorized access or theft of data. The community health group did not get any report of identity theft or PHI misuse. As a safety measure, all affected persons were offered free credit monitoring and identity theft protection services.

Because of the attack, Perry County Medical Center reviewed its privacy and security controls and will implement additional protections to strengthen email security.