Email Security Breach at Saint Alphonsus Health System and Southeastern Minnesota Center for Independent Living

Saint Alphonsus Health System based in Boise, ID encountered a phishing attack that allowed the potential compromise of patient data. The attack likewise affected patients of Saint Agnes Medical Center in Fresno, CA.

Saint Alphonsus found abnormal activity in the email account of an employee on January 6, 2021. The provider promptly secured the account, and carried out an investigation to identify the impact of the activity. Saint Alphonsus confirmed that an unauthorized individual accessed the email account on January 4, 2021, and had access to the account and information stored in it for two days. The attacker employed the email account to distribute phishing email messages to other contact persons in an effort to get usernames and passwords.

The worker whose information was compromised helped with some business tasks that needed access to protected health information (PHI), such as carrying out billing functions for the West Region of Trinity Health, including Fresno.

An evaluation of all emails and attachments revealed the account included the PHI of a number of patients. The PHI in the account differed from patient to patient and had the full names combined with at least one of the following data elements: phone, birth date, address, email address, medical record number, treatment data, and/or billing details. The account likewise comprised a few Credit Card Numbers And Social Security Numbers.

Though the provider affirmed the unauthorized account access, it wasn’t possible to find out which email messages, if any, the hacker accessed. During the time of sending notices, no evidence was found that suggest the misuse of any patient data. Saint Alphonsus provided credit monitoring services to impacted people and gave personnel additional training about email and cybersecurity to avert identical breaches later on.

While notifying patients concerning the breach, an error with the mail merge occurred. Some patients have gotten a letter informing them regarding an email security incident and sadly, the letters created had the wrong status for certain patients, addressing them as dead or a minor due to the mail merge problem.

It’s not at this time known how many patients were affected by the incident. Updates will be presented as soon as there’s additional details available.

Southeastern Minnesota Center for Independent Living Phishing Attack Affects 4,122 Persons Impacted

Southeastern Minnesota Center for Independent Living (SEMCIL), a disability and support services provider in Rochester and Winona, has identified an unauthorized person who acquired access to the email account of an employee having the PHI of 4,122 persons.

A look into the breach showed the account was exposed on August 6, 2020 and the attacker got access to the email account up to September 1, 2020. The investigation established on December 22, 2020 the exposure of PHI, which include names, addresses, birth dates, driver’s license numbers, Social Security numbers, and a few medical treatment data. SEMCIL began mailing notification letters to impacted people on February 19, 2021.

The investigation didn’t find any proof that indicates the viewing or exfiltration of any PHI. There is additionally no report obtained that show the improper use of any PHI. As a preventative measure against identity theft and fraud, people who had their Driver’s License Number Or Social Security Number exposed got complimentary offers of identity theft protection services.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at