10,000 Patient Records Exposed Due to Phishing Attacks on Three Healthcare Organizations

Phishing attacks on National Seating and Mobility, Partners for Quality, and Alana Healthcare resulted to the exposure of the patients’ protected health information (PHI).

3,673 Partners For Quality Clients Affected

On February 19, 2019, Partners For Quality, Inc., (PFQ), a group that provides services and support for people with intellectual and developmental disabilities, identified suspicious activity in some employee email accounts.

Third-party computer forensics firm PFQ confirmed the unauthorized access of three email accounts by a person from January 19 to February 27, 2019. Upon analysis of the compromised accounts, PFQ found sensitive data of customers and employees. The affected customers include those who previously received services from PFQ, Citizen Care Inc., Allegheny Children’s Initiative Inc., Milestone Centers Inc. or Exceptional Adventures.

The following highly sensitive PHI were stored in the compromised accounts: names, birth dates, medical record numbers, diagnoses and treatment details, Social Security numbers, billing and claims details, health insurance data, driver’s license numbers, credit and debit card numbers, banking and financial account numbers, usernames, passwords and PIN numbers.

No reports indicate the misuse of any client or employee data, but data access was possible. All people with a valid postal address were mailed notifications about the breach.

PFQ updated its policies and procedures as needed and implemented additional safety measures to strengthen the security of stored sensitive information. Affected people were advised how to secure their identities and to keep track of their accounts for indications of identity theft and fraud. Despite the breach of sensitive information, no credit monitoring and identity theft protection services were offered.

3,800 National Seating and Mobility Patients Affected

National Seating and Mobility (NSM) based in Franklin, TN, a company manufacturing seating and mobility systems, discovered the unauthorized access of some employees’ email accounts due to a phishing attack.

The breach happened on or around February 14, 2019 but NSM promptly terminated the unauthorized access of the email accounts upon discovery. The immediate response significantly limited the attackers in accessing the emails. NSM performed an investigation with the help of third-party computer specialists. Their findings showed limited client information in the email accounts including names, addresses, birth dates, diagnosis/diagnostic codes, and other details associated with providing a mobility device. The driver’s license number, Social Security number, Medicare/Medicaid number, medical insurance details and/or guarantor’s personal data of some people were also exposed.

According to the third-party computer specialists, the attackers may have inadvertently copied the email accounts of certain employees during the regular email synchronization process. Although there is no evidence to indicate the misuse of exposed data, NSM offered free credit monitoring and identity theft protection services to those affected by the breach. NSM is going over its security procedures and will improve defenses to prevent other breaches.

2,691 Alana Healthcare Patients Affected

On January 17, 2019, the care management firm Alana Healthcare in Nashville, TN identified unauthorized access of one employee’s email account. A third-party computer forensics firm helped Alana Healthcare investigate the breach and found the sensitive data of 2,691 patients contained in the email account on March 14, 2019.

The names of patients, dates of birth, some health data and Social Security numbers were exposed. Alana Healthcare mailed notification letters to affected patients and offered them credit monitoring and identity theft protection services, even though there is no report to indicate the misuse of any patient information.

To avoid another data breach, Alana Healthcare employees will have additional training. Multi-factor authentication will be applied on the email accounts of employees. The need for further protection of sensitive information will be assessed.