Charleston Area Medical Center and Colorado Physician Partners Announce Data Breaches

Charleston Area Medical Center Breach Impacts 54,000 Patients

Charleston Area Medical Center (CAMC) based in Charleston, WV, has lately reported a phishing attack whereby unauthorized individuals gained access to the email accounts of a number of its personnel. The breach of the email accounts occurred between January 10 and 11, 2022. CAMC learned about the unauthorized access on January 10, took action right away to protect the impacted accounts, and a prominent cybersecurity forensics agency was involved to look into the breach.

An in-depth review was carried out on the emails found in the accounts to ascertain which patient data was potentially accessed. The team finished the audit on March 16, 2022. The forensic investigation indicates the attacker wasn’t seeking to gain access to patient information, rather, the target seemed to be to acquire employee login details, however, data theft cannot be dismissed.

The attacker possibly accessed these types of data: last and first names, medical record numbers, and medical information including discharge dates, examination results, and diagnostic and treatment data. CAMC claimed that the Social Security numbers and/or financial account numbers of below 0.001% of the probably affected people were likewise compromised, though there were no access codes exposed that would enable the access of financial accounts.

CAMC mentioned that affected persons were informed and technical security procedures were improved to avert more data breaches down the road. The breach report was sent to the HHS’ Office for Civil Rights stating that 54,000 persons were impacted.

Colorado Physician Partners Reports Email Account Breach

Colorado Physician Partners (CPP) in Denver, a network of primary care practices, has lately reported a breach of its email account. On January 27, 2022, CPP discovered that someone utilizing a foreign IP address got access to one CPP employee’s email account.

The email account was promptly secured and a third-party forensics agency investigated the incident. The investigation ended on February 24, 2022. According to the result, the breach of the email account happened from January 25 to January 27, 2022. Since access is synced, the hacker may have acquired a copy of email messages within the account.

A detailed analysis of the email messages in the account established that they included the protected health information (PHI) of 12,877 patients. Besides names, the emails included at least one of these types of PHI: birth date, Social Security number, home address, telephone number, email address, insurance ID number, dates and type of services, billing and coding for services, and sometimes, diagnoses, medical conditions, or prescription medication.

CPP mentioned it has improved its safety measures and altered the settings for how staff members get access to their email accounts. Security awareness training was additionally strengthened with its employees. CPP has sent notification letters to impacted persons and is providing free identity theft protection services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone