Essentia Health notified more than 1,000 of its patients about the exposure of some of their protected health information (PHI). Essentia Health integrated health system provides services to the states of Minnesota, North Dakota, Wisconsin and Idaho.
Like many other healthcare providers, Essentia Health contracts the billing services of a third-party vendor in order to retrieve lost revenue. The business associate providing billing services to Essentia Health was Nemadji Research Corportion in Bruno, MN.
Essentia Health allowed Nemadji to access specific types of PHI in order to perform its contracted services. Essentia Health did not say in its substitute breach notice that was posted on its webpage what types of information were exposed.
Nemadji observed odd activity in the employee’s email account on March 28, 2019. According to the investigation findings, the employee fell victim to a phishing scam and disclosed his login credentials to the attacker. Nemadji’s IT department already deactivated the account but the attacker had unauthorized access to it for a few hours.
The following investigation confirmed the presence of PHI of a number of patients of Nemadji’s clients in the compromised email account. The L.A. Times reported previously about the exposure of the PHI of 14,591 Los Angeles Department of Health Services (DHS) patients as a result of the phishing attack. The latest report from Essentia Health reveals that other entities had been impacted by the breach.
It is uncertain at the moment how many clients of Nemadji were impacted by the data breach. This incident is not yet posted on the Department of Health and Human Services’ Office for Civil Rights breach portal. Hence, there’s no updated report yet about the magnitude of the breach.