Health Quest, which is already a part of Nuvance Health, found out that the impact of the phishing attack in July 2018 was more extensive than first believed.
A number of employees were fooled into sharing their email credentials by phishing emails, thus allowing unauthorized people to access their accounts. A top-rated cybersecurity agency assisted with the investigation to determine whether there was a compromise of patient information.
In May 2019, Quest Health learned that the emails and attachments in the compromised accounts contained 28,910 patients’ protected health information (PHI) and so the health system sent breach notification letters to the affected persons. The information contained in the compromised accounts included patient names, contact information, claims details, and some health data.
A secondary investigation of the breach uncovered on October 25, 2019 the compromise of one more email account of an employee containing PHI. Based on the substitute breach notification posted on the Quest Health website, the compromised data were different from one patient to another, however, the names and at least one of these data elements may have been included:
Dates of birth, driver’s license numbers, Social Security numbers, Medicare Health Insurance Claim Numbers (HICNs), provider name(s), dates of treatment, treatment and diagnosis details, health insurance plan member and group numbers, health insurance claims details, financial account details with PIN/security code, and payment card details.
There is no evidence found that unauthorized people accessed patient data. There is also no report received about the misuse of patient information. For safety precaution, on January 10, 2020, Health Quest sent another notification letter to patients.
Because of the breach, Quest Health now uses multi-factor authentication for email accounts and fortified security procedures and gave employees additional training on phishing and other cybersecurity problems.
There is no clear statement as to how many additional patients were affected by the breach. To date, the number of individuals impacted as listed on the HHS’ Office for Civil Rights breach portal remains 28,910 individuals.