PHI Breached Due to Medford Phishing Attack and Penn Medicine Employee’s Misuse of Patient Data

Medford Hematology Oncology Associates Phishing Attack

A phishing attack on Medford, a Hematology Oncology Associates based in Oregon, resulted to the compromise of the email accounts of a number of employees of Medford. The first breach of an account was on December 18, 2018, other account breaches occurred until February 22, 2019. The breach was only discovered on March 19, 2018.

Third-party computer forensics specialists investigated the breach, but they were not able to ascertain which email messages including attached files the attacker opened. The investigation of the breach concluded on April 20 and affirmed the compromise of some of the emails and attachments which contained the protected health information (PHI) of patients.

To stop further access of the accounts by the attacker, all accounts affected were subjected to a password reset. Employees also had to undergo extra security awareness training.

Medford reported the breach to the HHS’ Office for Civil Rights and state attorneys general. The affected persons have been notified and offered membership to Experian’s IdentityWorks credit monitoring and identity theft protection services for free. The number of people affected by the breach is still unclear at this time.

Former Penn Medicine Employee Accused

A medical assistant formerly working at Penn Medicine was accused of accessing patient data with no authorization and misusing at least one patient’s data.

The contract employee who was employed via a staffing firm worked at Penn Medicine from February to April 2019. On April 29, 2019, Penn Medicine found out that the employee accessed the data of a patient without any valid work reason.

The employee possibly viewed the following patient information: names, demographic data, clinical data and Social Security numbers of some patients. The ex-employee accessed a total of 900 patient records while employed for 3 months. Lauren Steinfeld, Penn Medicine’s spokesperson, released a statement confirming the misuse of one patient’s PHI, but did not disclose the nature of misuse.

All 900 patients have already received privacy breach notification letters. Penn Medicine is likewise going over its policy on hiring contractors from staffing agencies and will take action on ensuring all employees hired will follow high professional standards.