On March 8, 2024, a California medical center filed a data breach notice with the state Attorney General after discovering an email phishing attack gave an unauthorized party access to various email accounts.
The attack, which exposed sensitive patient data, was discovered on January 9, 2024. Two medical center employees had responded to phishing emails and disclosed their credentials, which allowed their email accounts to be accessed by unauthorized individuals.
According to the data breach notice, when the medical center discovered the breach, they immediately secured the email accounts and enhanced their security controls. They also began an investigation to determine what happened, what information was involved, and to whom the information belonged. They discovered that the email accounts were accessed for brief periods between January 9, 2024, and January 22, 2024.
The information exposed in the breach included patient names, Social Security numbers, and one or more of the following: mailing address, email address, date of birth, medical record number, health insurance information, treatment cost information, and/or clinical information, such as medications, provider name, or diagnosis.
The medical center said they are continuing to enhance their security controls, as appropriate, to minimize the risk of similar incidents in the future. They are also continuing to provide phishing prevention training and education to their employees.
Compliance Perspective
Issue
Phishing is a type of cybersecurity attack used to trick individuals into disclosing sensitive information via electronic communication, such as email, by impersonating a trustworthy source. Phishing attacks can result in identity theft, financial loss, discrimination, stigma, mental anguish, negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s electronic protected health information (ePHI). When ePHI is compromised by a cyberattack breach such as phishing, incredibly sensitive information about an individual’s medical records is at risk.
Discussion Points
- Review policies and procedures related to the Health Insurance Portability and Accountability Act (HIPAA) and ePHI. Ensure that they address how to secure ePHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update as new information becomes available.
- Train staff involved with the use and maintenance of the organization’s computer information systems regarding the HIPAA Rules, including the requirements for conducting risk assessments. Train all staff on HIPAA and ePHI upon hire and annually, including how to avoid phishing schemes, malware exposures, unauthorized release of ePHI, and how to detect malicious software and report such detections. Document that these trainings occurred and file the signed training document in each employee’s education file.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA and ePHI are being followed by all staff, and that each person demonstrates understanding and competency. Also periodically audit to ensure ongoing risk analysis is being conducted and that computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
