OH: Five Rivers Health Centers notified 155,748 patients after phishing incident
On May 28, Five Rivers Health Centers in Ohio notified HHS about a data security incident that impacted 155,748 patients. The following is their media notice, linked from the home page of their web site if you can find it (see attached, where I highlighted the location of the link on their home page). DataBreaches.net notes that they do not say when they first discovered the breach or how they discovered it.
Five Rivers Health Centers (“Five Rivers”) is committed to maintaining the privacy and security of the information that it maintains. On May 28, 2021, Five Rivers notified certain individuals about an email compromise that was the result of a phishing email incident. Upon learning of the situation, Five Rivers secured the accounts and commenced a prompt and thorough investigation. As part of its investigation, it worked very closely with external cybersecurity professionals.
After an extensive forensic investigation and manual document review, Five Rivers discovered on March 31, 2021 that the email accounts that were accessed between April 1, 2020 and June 2, 2020 contained personal and/or protected health information, including names, dates of birth, addresses, Medical Record Number (MRN), Patient Account Number (PAN), medical diagnosis, treatment and/or clinical information, test results or lab reports, provider name, date of service, treatment cost information, prescription information, health insurance information and/or policy numbers, and Medicaid or Medicare numbers. Financial account numbers, payment card numbers, driver’s license or state identification number, and/or Social Security number for a limited number of individuals were also included in the impacted accounts. This incident does not affect all clients of Five Rivers and not all information was included for all individuals.
Five Rivers has no evidence that any information was or will be used for any unintended purpose. Notified individuals have been provided with best practices to protect their information and have been reminded to remain vigilant in reviewing financial account statements on a regular basis for any fraudulent activity. It has also been recommended that affected individuals review the explanation of benefits statements that they receive from their health insurance providers and follow up on any items not recognized. Individuals whose Social Security numbers were contained in the impacted accounts have been offered complimentary credit monitoring for twelve months. Finally, Five Rivers has taken steps to improve internal procedures to identify and remediate future threats in order to minimize the risk of a similar incident in the future, including implementing two-factor authentication, reviewing and revising policies and procedures and requiring additional cybersecurity training for all employees.
We remain fully committed to maintaining the privacy of personal information in our possession and have taken many precautions to safeguard it. We continually evaluate and modify our practices to enhance the security and privacy of personal information.
For further questions or additional information regarding this incident, or to determine if you may be impacted by this incident, a dedicated toll-free response line has been set up at 855-537-2106.
The response line is available Monday through Friday, 9:00 a.m. to 6:30 p.m. EST.