Healthcare Phishing Incidents Lead to Big BreachesPatient Data Exposed in Several Email-Related Cases
As healthcare organizations continue to fall victim to phishing incidents, the number of individuals affected by health data breaches involving compromised email accounts continues to rise.
Among the apparent phishing-related incidents most recently reported to federal regulators were breaches experienced by Bethesda, Maryland-based Centers for Advanced Orthopaedics; the Cancer Treatment Centers of America at Midwestern Regional Medical Center in Zion, Illinois; and Addison, Texas-based BW Homecare Holdings, which does business under the name Elara Caring. Those three breaches each affected over 100,000 ndividuals.
As of Monday, 125 major health data breaches affecting about 9.4 million individuals have been added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website. In 46 of those incidents, affecting a total of 2.4 million individuals, "email" was reported as the "location" of the breaches - but some other incidents also could have involved email incidents, including phishing.
The largest phishing incident posted on the HHS website so far this year, reported on Jan. 8 by New York-based American Anesthesiology, affected nearly 1.3 million individuals.
In a breach notification statement, American Anesthesiology says that on July 16, 2020, it was notified that an unauthorized party had gained access to several email accounts on a business associate’s Microsoft Office 365 hosted email through a phishing attack (see: Hacking Incidents, Vendor Breaches Keep Surging).
Centers for Advanced Orthopaedics Incident
The Centers for Advanced Orthopaedics reported on March 25 an email hacking incident affecting over 125,000 individuals.
In its breach notification, CAO says that on Sept. 17, 2020, it identified unusual activity in its email environment and determined that multiple employee email accounts were subject to unauthorized access between October 2019 and September 2020.
Certain emails "were accessible to the responsible cybercriminal as a result," CAO says. "Following this discovery, CAO launched an extensive and thorough data mining effort to identify potentially affected individuals."
On Jan. 25, CAO determined that PHI was contained in emails accessible to the cybercriminal. The PHI varies by individual, and the organization cannot confirm whether the data was actually accessed or acquired by the intruder, the notice says.
Affected individuals include CAO patients, employees and their dependents, the statement says. For most employees and dependents, potentially compromised PHI includes date of birth, medical diagnosis and treatment information, Social Security number and driver’s license number. For a subset of employees and dependents, however, accessible data also potentially includes passport number, financial account information, payment card information and email/username and password.
Patient data potentially compromised includes medical diagnosis and treatment information and date of birth. For a subset of patients, however, accessible PHI exposed also included Social Security number, driver’s license number, passport number, financial account information, payment card information and email/username and password.
Cancer Treatment Centers of America Breach
Cancer Treatment Centers of America at Midwestern Regional Medical Center reported to HHS on March 19 an email hacking incident impacting nearly 105,000 individuals.
In its breach notification statement, CTCA says on Jan. 18, it identified suspicious activity on the email account of a CTCA account holder. The investigation determined that it was possible for an unauthorized user to access information in the email account between Jan. 12 and Jan. 18.
“The account holder’s password was promptly changed, and the previous email credentials could no longer be used to access the email account," CTCA says. But the organization was unable to rule out the possibility of unauthorized access. Information in the affected mailbox may have included patient names, medical record numbers, health insurance information, CTCA account numbers, and limited medical information, the notice says.
Elara Caring Business Email Compromise
The home care provider Elara Caring reported to HHS on Feb. 24 an email hacking incident affecting over 100,000 individuals.
In its notification statement, Elara Caring says it was the victim of a business email compromise scheme.
"On Dec. 9, 2020, a phishing email was sent from a known external entity to two Elara employees," the statement notes. "The intruder then gained access to a limited number of Elara employee email accounts and sent additional phishing emails from two accounts." The period of unauthorized access extended from Dec. 9 to 16, the notice says.
Upon learning of the unauthorized access, Elara Caring says it promptly change passwords, denying access to the intruder as accounts were identified. "Containment of the incident was completed on Dec. 16. This criminal activity has been reported to the FBI," the statement notes.
The organization says is taking steps to prevent recurrence of similar incidents. That includes completing an enterprisewide password change and implementing multifactor authentication for all users of its systems.
"In addition, Elara Caring conducted enhanced security training for its personnel to better detect and prevent phishing scams," the company's notification statement says.