Connecticut Department of Social Services (DSS) announced a potential exposure of the protected health information (PHI) of 37,000 people due to a number of phishing attacks that took place between July and December 2019.
A number of email accounts were accessed and were utilized to distribute spam emails to a lot of DSS staff. The investigation of the breach established the incident as phishing attacks. A detailed investigation was done employing state information technology assets and a third-party forensic IT organization. However, the investigators did not uncover any proof that shows the attackers acquired access to patient information in the email accounts. The DSS breach notification mentioned that the forensic professionals couldn’t ascertain that the attackers didn’t access personal data because of the big volume of emails involved and the type of phishing attack.
As a safety measure, DSS provided identity theft protection services to persons and took action to strengthen email security and better shield against phishing attacks down the road.
Phishing Attack on LSU Health Care Services
The Louisiana State University (LSU) Health New Orleans Health Care Services Division reported a likely exposure of information of its patients from a few hospitals in Louisiana as a result of the access of a staff email account by an unauthorized man or woman.
The breach of the email account occurred on September 15, 2020. LSU uncovered the attack on September 18 and quickly blocked the email account. An investigation of the incident did not reveal any information that the unauthorized individual accessed or obtained patient information in the email messages and attached files.
The compromised email account was discovered to have the PHI of patients from the hospitals posted below:
- Bogalusa Medical Center in Bogalusa
- University Medical Center in Lafayette
- Interim LSU Hospital in New Orleans.
- Leonard J. Chabert Medical Center in Houma
- Lallie Kemp Regional Medical Center in Independence
- O. Moss Regional Medical Center in Lake Charles
The types of data likely exposed differed from one patient to another and medical center location, however, may have included names, telephone numbers, dates of birth, addresses, health record numbers, account numbers, Social Security numbers, dates of service, types of services acquired, insurance ID numbers, and certain financial account details and medical data. The investigation into the incident is still ongoing, yet up to now “thousands” of patient records are identified to have been compromised.
At this time, LSU Health is checking further security procedures to better defend against more attacks. Employees likewise got more information and security training.