Solara Medical Supplies, LLC in Chula Vista, CA, encountered a phishing attack that potentially compromised the protected health information (PHI) of many of its clients.
On June 28, 2019, Solara Medical identified suspicious actions in the email account of an employee and started an investigation to figure out the nature and magnitude of the breach. Solara Medical and third party computer forensics professionals investigated the breach and found it was quite extensive. Several Office 365 email accounts had been compromised for the period of April 2, 2019 to June 20, 2019.
All breached accounts had a programmatic and manual analysis to find out whose PHI was potentially exposed. The information contained in the email accounts differed from patient to patient. The patients’ first and last names were included in the compromised information along with one or more of the listed data elements: address, birth date, employee ID number, health insurance details, financial information, credit card/debit card number, password/PIN or account login details, passport details, Social Security number, driver’s license number, state ID number, Medicare/Medicaid ID, claims details, and billing records.
Solara Medical promptly safeguarded the compromised accounts upon discovery of the breach and added more security measures for better email security. People affected by the breach got notification letters and free one-year credit monitoring and identity theft protection services.
The breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights, but the OCR breach portal has not published the breach yet. Hence, the number of individuals impacted by the breach is still uncertain.
Select Health Network Phishing Attack
Select Health Network in Mishawaka, IN had a phishing attack that potentially compromised the PHI of a number of people.
After detecting suspicious activity in the email accounts of some employees, computer forensics professionals investigated the phishing attack. The investigation confirmed the compromise of several email accounts within the period of May 22, 2019 to June 13, 2019.
Select Health Network got the audit results of the compromised email accounts on October 1, 2019, which confirmed that the accounts contained a wide range of PHI.
The exposed data, which differed from person to person included the patients’ first and last names coupled with one or more of the listed information: birth date, address, member id number, medical insurance information, medical record number, medical report, name of treating/referring doctor, treatment information, treatment expenditure, and medical insurance policy number. Some patients’ Social Security number was similarly exposed.
Select Health Network has not received any report of patient information misuse caused by the breach. Those who had their Social Security numbers exposed received 12-months complimentary credit monitoring and identity theft protection services.
Select Health Network re-evaluated its policies and procedures in addition to implementing more safety procedures to fortify email security and avert similar phishing attacks.