14,591 DHS Patients Affected by Phishing Attack on California Business Associate

Nemadji Research Corporation, operating under the name of California Reimbursement Enterprises, has made an announcement about the unauthorized access of an individual to the email account of one of its employees. The protected health information (PHI) of the company’s clients may have been viewed or copied.

California Reimbursement Enterprises provides patient eligibility and billing services as a business associate to a number of healthcare facilities and hospitals based in California. The company is also a Los Angeles County Department of Health Services (DHS) service provider.

On March 28, 2019, an IT staff noticed strange activity in an employee’s email account and so discovered the potential email account breach. A third-party computer forensics specialist assisted in the investigation of the breach. Nemadji confirmed that the attacker accessed the email account several hours after the employee responded to a phishing email.

An analysis of all messages in the email account on June 5, 2019 confirmed the exposure of patient information. Nemadji sent notifications to all impacted business partners.

The breached email account was used by California Reimbursement Enterprises for correspondence with DHS regarding the services it provided. Some emails contained the PHI of some individuals. On June 26, 2019, Nemadji informed DHS about the breach and stated that 14,591 DHS patients were impacted.

The potentially breached information included names along with one or more of these information: address, phone number, birth date, patient account number, medical record number, Medi-Cal ID number, admission date(s), discharge date(s), month and year of service. The diagnostic codes of four patients were exposed and the Social Security numbers of two patients were also exposed.

Nemadji sent breach notification to the affected patients on July 8, 2019 and offered them free credit monitoring and identity theft protection services.

Nemadji also evaluated its cybersecurity defenses and implemented additional security measures to lower the risk of other breaches occurring again. Employees received extra training and the IT department enhanced the email security protections.