Three Email Security Incidents Exposed PHI


In the past few days, there were three reports of email system breaches that resulted in the unauthorized access of email accounts that contain protected health information (PHI).

Navicent Health based in Macon, GA is notifying patients regarding the potential compromise of some of their PHI because of a phishing attack on its email system. The breach was discovered in July 2018, prompting the notification of law enforcement about the breach and the calling in of a computer forensics team to investigate the breach.

In a substitute breach notice posted on Navicent Health’s website, it was mentioned that confirmation of the breach of email accounts containing patient information was only received on January 24. There was no explanation given regarding the 6 months delay in determining the compromise of patients’ PHI.

The attackers potentially accessed the following types of information: names, addresses, birth dates, and some healthcare data including appointment dates and billing details. The Social Security numbers of some persons were also exposed. Navicent Health did not confirm if the attackers viewed or downloaded any patients’ PHI.

Navicent Health already notified all patients affected by the breach and offered free identity theft protection services to those whose Social Security number were potentially exposed. It also has been working together with several cybersecurity companies to enhance security and stop other breaches.

Human Development Center (HDC) in Duluth, MN became aware of an email account compromise while doing an analysis of email logs on January 25. An unauthorized person accessed the email account of an employee on two instances – January 16 and 18, 2019.

It was found after analyzing the compromised email account that it contained the PHI of clients. Their names, birth dates, internal HDC client numbers, details of the HDC services obtained, and procedure codes were compromised. The breach affected the clients who had obtained services from HDC from 2011 to 2018.

It is believed there is low possibility that information is accessed or misused. HDC already notified the individuals affected by the breach.

Frederick Regional Health System based in Frederick, MD found out that unauthorized persons potentially accessed the PHI of some hospice patients due to a phishing attack. The health system became aware of the phishing attack on January 21, 2019. Unauthorized account access was immediately terminated.

A review of the compromised email account and attachments showed they contained names, health insurance details, type of health insurance and Social Security numbers for a number of patients. The breach affected the patients who obtained hospice services from the health system from June 2017 to January 2019.

The breach investigators did not find any evidence that PHI was misused. But, as a safety measure, Frederick Regional Health System offered free one year credit monitoring and identity theft protection services to qualified patients. Since the breach, security was enhanced and employees received extra email security training.