While medical data breaches are climbing in general, last week, we witnessed a huge jump between July 11, 2018 and July 16, 2018, different medical facilities reported PHI data breach. All occurred through the same medium – hacked email accounts of internal employees. Here’s a brief of the recent trail of healthcare cyber attacks.
Texas UMC Health System Data Breach Affected 18,000 Patients
On July 11, 2018, the IT security team of UMC Physicians (UMCP) noticed a hacked email account of one of the staff members. Upon further scrutiny, they found the email account suffered a compromise on March 15, 2018.
They suspect around 18,000 patients’ PHI may have had details leaked since then. This includes everything from personal details to medical history and health records of the patients.
As explained in their press release,
“UMCP has no evidence of actual or attempted misuse of personal information at this time…. UMC and UMCP understand this incidence may create worry and inconvenience for patients, and the health system sincerely apologizes and regrets that this incidence has occurred.”
After noticing the breach, officials began notifying affectees. They also offer them a one-year free credit monitoring and identity restoration service.
Alive Hospice Data Breach Exposed Information For Four Months
The Tennessee-based hospital, Alive Hospice, disclosed a data breach in a press release on July 13, 2018. Reportedly, the medical facility exposed suffered email phishing attacks for months. As a result, some unknown hackers hacked two of their employees’ accounts to access patients’ data.
On May 15, 2018, Alive Hospice noticed some unauthorized activity on one of the affected email accounts. They immediately began investigations which revealed further details about the incident.
As stated in their press release,
“The investigation determined the unauthorized activity began on or around December 20, 2017, for one user, and on or around April 5, 2018, for the other user. The investigation also determined that the emails affected by this incident contained personal information.”
The details leaked as a result of Alive Hospice data breach include all personal details, medical history, and other sensitive information of the patients. Nonetheless, the officials confirm no misuse of the leaked data.
“To date, Alive Hospice has no evidence that any information potentially impacted by this incident was subject to actual or attempted misuse.”
After the incident, authorities began contacting affectees to inform them of the breach. However, they do not reveal the exact number of affectees in their media release.
PHI Data Breach Of 8,400 Patients At Billings Clinic
On July 13, 2018, Billings Clinic disclosed a data breach that exposed details of 8,400 patients. Hospital authorities reported strange activity on one of the employees’ email accounts on May 14, 2018. Later, they found that the hackers hacked the email account while the employee was traveling overseas.
The authorities quickly disabled the hacked account. Yet, they suspect that the hackers may have accessed some records. The breached data supposedly includes patients’ names, contact addresses, and other medical details.
As stated in their media release,
“There was no unauthorized access to Billings Clinic’s electronic medical record or financial systems, and there is no indication that any patient information has been misused. However, we are notifying patients that the following types of information were included in the email account: first initial or first name, last name, date of birth, contact information, medical record numbers, internal financial control numbers, diagnosis, and limited information about medical services received. Each patient had different types of information included in the emails, and no one email contained all of these types of information.”
Sunspire Health Faced Email Phishing Campaign
In their media release on July 16, 2018, Sunspire Health, a medical facility in New Jersey, confirmed the PHI data breach. Reportedly, Sunspire became a victim of an email phishing campaign that affected numerous email accounts.
As explained in their statement,
“Between April 10, 2018, and May 17, 2018, Sunspire learned that its employees became the target of a phishing email campaign that compromised several email accounts… With the help of third-party computer forensic investigators, Sunspire has determined that unknown individuals may have gained access to certain Sunspire employee email accounts between March 1, 2018, and May 4, 2018.”
While the investigations continue, for now, authorities report the hackers may have accessed some data through the hacked accounts. The breached data may include patients’ names, birthdays, contact addresses, diagnosis and treatment details, health insurance information, and Social Security numbers. Nonetheless, Sunspire confirms no misuse of breached data.
Furthermore, they are contacting the affected patients and are offering free identity and credit monitoring services to them. However, they did not state the exact number of affected individuals.
UPMC Cole PHI Data Breach Affected 790 Patients
According to the press release on July 16, 2018, UPMC Cole suffered an email phishing attack that resulted in PHI data breach of 790 patients. UPMC faced two phishing attacks on June 7, 2018, and June 14, 2018. They confirmed that the medical records remained safe. However, the hackers supposedly accessed some of the patients’ data through these email accounts.
“The following information was discovered in the e-mails to varying degrees for each patient, including patients’ names, dates of birth, scheduling information, types of procedures, names of providers, and other general treatment information.”
Whereas, they confirm that the social security numbers remained safe from the breach.
In his statement regarding the data breach, Ed Pitchford, President and Senior Executive at UPMC Cole, apologized to the patients. He said,
“UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes. But, out of an abundance of caution, we deemed it appropriate to inform those possibly affected by this breach.”
Since this all has occured over the space of a week it is clear data breach incidents within the healthcare need to be addressed.
