Email accounts that held the protected health information (PHI) of patients were compromised at Advent Health Partners and Loyola University Medical Center.
Loyola University Medical Center
Loyola University Medical Center (LUMC) has informed 16,934 patients regarding the potential compromise of some of their PHI because an unauthorized person acquired access to a worker’s email account. On October 31, 2021, upon noticing suspicious activity with the email account, LUMC secured the account quickly and launched an investigation to find out the nature and extent of the attack.
The investigation showed the account had been accessed from October 29, 2021 to October 31, 2021, however, it wasn’t possible to find out whether any email messages or file attachments were viewed or obtained. There was no proof found that suggests actual or attempted improper use of patient data.
An analysis of the email messages within the account showed they included these types of patient data: Complete name, address, phone, birth date, email, and medical data like medical record number, ailments, prescription drugs, test data, healthcare facility, type of service and a number of health plan details.
Although the incident is considered to have a low risk of identity theft and fraud, impacted persons were offered a free 12-months membership to a credit monitoring and dark web monitoring service.
LUMC stated it has spent a considerable amount in cybersecurity and has a solid security program that consists of dedicated cybersecurity staff, assessment of security controls, and 24/7/365 tracking.
Advent Health Partners
Advent Health Partners based in Nashville, TN provides hospital groups with claims management services. It was found at the beginning of September 2021 that an unauthorized person had acquired access to selected employee email accounts. An investigation into the incident confirmed the magnitude and nature of the data breach. On December 8, 2021, a number of files in the breached email accounts were possibly accessed.
Advent Health Partners is provided with limited data sets for regular operational purposes linked to communications with medical insurance providers, and a number of that data was kept in email file attachments.
The company sent notifications to all impacted persons and provided a free membership to credit monitoring and identity theft protection services. Advent Health Partners stated it has evaluated and updated its security guidelines and has enforced more safety measures to enhance email security.
The HHS’ Office for Civil Rights breach portal has not yet exhibited the breach, and so it is presently uncertain how many people were impacted.