Health Quest, which now forms part of Nuvance Health, has become aware the phishing attack it experienced in July 2018 was more wide reaching than first thought.
Many employees were fooled and shared their email credentials by phishing emails, which allowed unauthorized individuals to access their accounts. A well known cybersecurity firm was engaged to help out with with the investigation and determine whether any patient information had been impacted.
In May 2019, Quest Health became aware that the protected health information of 28,910 patients was included in emails and attachments in the impacted accounts and notification letters were sent to those individuals. The compromised accounts contained patient names, contact information, claims data, and some health data.
A secondary investigation of the breach showed that, on October 25, 2019 that another employee’s email account was compromised which included protected health information. According to the substitute breach notification on the Quest Health website, the compromised data varied from patient to patient, but may have included one or more of the following data elements along with to names:
Dates of birth, Social Security numbers, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), provider identities, dates of treatment, treatment and diagnosis information, health insurance plan member and group numbers, health insurance claims details, financial account data with PIN/security code, and payment card information.
No proof of unauthorized viewing of patient data was found and no reports have been logged to indicate any patient information was improperly used. Out of an abundance of caution additional letters were sent to patients on January 10, 2020.
Quest Health is now implementing multi-factor authentication on its email accounts and has bolstered security processes and provided more training to its HQ staff on phishing and other cybersecurity issues.
It is currently not known how many extra patients have been impacted.