Breaches at Legacy Community Health Services, Georgia Department of Human Services and Einstein Healthcare Network

by | Oct 13, 2020 | Compliance News

Legacy Community Health Services Phishing Attack Affects 228,000 Persons

Legacy Community Health Services in Texas is notifying 228,009 patients concerning a data breach of their protected health information (PHI). An unauthorized individual accessed the PHI kept in an email account.

Legacy Community Health Services detected the breach on July 29, 2020, which was triggered by an employee’s response to a phishing email that disclosed the login credentials to the hacker. The email account was secured promptly and a computer forensics agency investigated the incident.

There is no evidence found that suggests the attacker viewed e-mails or stole electronic PHI. Nevertheless, the likelihood of data theft couldn’t be fully eliminated. The data found in the exposed email account were patient names, dates of service, and health details connected to medical care at Legacy, in addition to the Social Security numbers of some patients. No-cost membership to a credit monitoring and identity protection services was provided to persons whose SSN was exposed.

Legacy Community Health Services has reinforced email security and the workers got retraining on identifying and steering clear of phishing emails.

Georgia Department of Human Services Uncovers Breach of A Number of Employee Email Accounts

Unauthorized individuals accessed the email accounts of a number of Georgia Department of Human Services staff. The email accounts contained the personal information and PHI of parents and children who were engaged in Child Protective Services (CPS) cases with the DHS Division of Family & Children Services (DFCS).

The Georgia Department of Human Services discovered in August that the emails, which the attackers likely accessed contained personal information and PHI. The breach investigation uncovered that the unauthorized persons acquired access to the accounts between May 3, 2020 and May 15, 2020.

The types of data breached were different from one person to another and could have consisted of full names, names of family, relationship to the child obtaining services, county of residence, date of birth, age, DFCS case numbers, DFCS identification numbers, number of times contacted by DFCS, an identifier that tells if face-to-face contact was medically right, phone numbers, email addresses, Medicaid medical insurance identification number, Medicaid identification number, Social Security number, medical provider name, and visit dates.

Psychological reports, counseling notes, health diagnoses, and substance abuse data pertaining to 12 people were likewise included in the breached email accounts, in addition to the bank account information of one individual.

Phishing Attack on Einstein Healthcare Network

Einstein Healthcare Network based in Philadelphia, PA notified 1,821 of its patients about the potential access to some of their PHI by unauthorized people who obtained access to some employee email accounts. The provider discovered the email security breach on August 10, 2020. But according to the investigation, the attacker had accessed the email accounts from August 5 to August 17, 2020.

An analysis of the breached email accounts showed they held information such as patients’ names, birth dates, patient account or medical record numbers, and/or treatment or medical data, for instance, diagnoses, prescription drugs, healthcare providers names, types of treatment, or locations of treatment. The medical insurance data and/or Social Security number of some patients were likewise exposed.

It wasn’t possible to ascertain whether the attackers accessed or copied any emails, however since data theft can’t be eliminated, patients who had their Social Security numbers exposed were provided a free membership to credit monitoring and identity protection services for one year.

Einstein Healthcare Network provided its employees with further training on identifying and averting suspicious emails and took steps to enhance its email security.

3 Steps To HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy