Two newly revealed phishing attacks in 2018 potentially compromised 41,000 patients’ ePHI
Every time I think I’m ready to total out the March data on health data attacks or incidents, another incident pops up belatedly on HHS’s site. This time, there were two reports that I had to add yesterday.
One was a report from Palmetto Health in South Carolina (now part of Prisma). Palmetto reported that a phishing attack sometime in November, 2018 necessitated months of investigation.
After completing this extensive review process, on February 19, 2019, we were alerted to the names of the individuals whose information was within the accounts – which contained some patient names and other patient information typically used by a health care provider in the course of providing treatment or consultation. A lesser portion of the emails contained social security numbers and medical insurance information.
All told, 23,811 patients were sent notifications. HHS was notified on March 29.
Palmetto’s report was similar to another newly disclosed phishing attack that potentially compromised ePHI.
Womens’ Health USA, a business associate headquartered in Connecticut, disclosed that its employees were hit by a phishing attack that began in April, 2018 and also occurred in August. It took months of investigation before covered entities could be notified on March 15, 2019.
Notification letters were sent out to 17,531 patients on March 29.