Meharry Medical College based in Nashville, TN, has identified an email account breach that potentially resulted in the access or theft of up to 20,983 patients’ protected health information (PHI) by unauthorized persons.
Meharry Medical College discovered the breach around July 28, 2020 and blocked the account immediately. Third-party technical professionals investigated the incident and stated that only one email account was involved. On September 1, 2020, the investigators said that because of the nature of the breach, it was likely that the hackers copied the contents of the email account, probably unintentionally in the course of the regular email synchronization process.
An evaluation of the email account content showed that it contained the full names of patients, birth dates, provider names, diagnoses/diagnostic codes, internal patient account numbers, and other medical data. The Social Security numbers, Medicare/Medicaid numbers, and medical insurance details of some patients were also included.
Persons who had Social Security numbers potentially exposed received free identity theft protection services.
Phishing Attack on MEDNAX Services Inc. Potentially Exposed PHI
MEDNAX Services Inc based in Sunrise, FL provides revenue cycle management and some administrative services to affiliated physician practice networks. The company discovered on June 19, 2020 that unauthorized persons were able to access its Microsoft Office 365-hosted email system because of employees that responded to phishing email messages.
Aided by a national forensic company, MEDNAX confirmed the compromise of several business email accounts from June 17, 2020 to June 22, 2020. These accounts were independent of the internal network and systems of MEDNAX. An evaluation of the compromised email accounts showed they included the names of patient and guarantors, email addresses, addresses, birth dates, Social Security numbers, state ID numbers, driver’s license numbers, financial account data, medical insurance details, medical and treatment data, Medicare/Medicaid numbers, and billing and claims data. MEDNAX could not determine what patient information the unauthorized persons accessed if any.
Impacted persons received free membership to identity monitoring services for 12 months. MEDNAX has carried out an evaluation of its security controls and will take steps to improve security to avoid the same breaches later on.