PHI Compromised in Email Security Breaches at FHN and Elkins Rehabilitation & Care Center

The healthcare system FHN based in Freeport, IL is informing a number of patients that an unauthorized person has possibly gained access to many employees’ email accounts between February 12 and February 13, 2020 ensuing in the likely exposure of their protected health information (PHI).

FHN stated on April 20, 2020 that as per the investigation, a breach is affirmed to have taken place, nevertheless finding out which information might have been seen or acquired took some time. It wasn’t possible to verify if somebody accessed or acquired patient data held in the email accounts, though data access cannot be eliminated. FHN mailed notificatioins to the impacted persons on July 31, 2020.

The breached accounts held data like names, birth dates, medical insurance data, patient account numbers, medical record numbers, and some treatment and/or clinical information, like diagnoses, provider names, and prescribed medication data. The Driver’s license numbers and Social Security numbers of a number of patients were likewise likely exposed.

Free credit monitoring and identity protection assistance were provided to people who had their Social Security numbers and/or drivers’ license numbers compromised.

FHN has furnished more training to its staff to assist them in determining and steering clear of suspicious email messages. The system additionally took action to fortify email security, which include using 2-factor authentication.

Email Security Breach at Elkins Rehabilitation & Care Center Affects 3,127 Patients

In February 2019, Elkins Rehabilitation & Care Center (ERCC) located in West Virginia learned that unauthorized people had gotten access to a few workers’ email accounts. The IT security group performed an internal investigation, which showed a number of computer systems were downloaded with malware between February 4, 2019 and February 7, 2019. The IT security group worked swiftly to determine and get rid of the malware, and a total password reset was undertaken on all accounts. The moment ERCC found out that the malware can exfiltrating email messages, an e-discovery specialist was hired to examine all email messages in the account to find out whether the attackers stole any data.

ERCC completed the audit of the email accounts on July 1, 2020 and mailed notification letters to all impacted people. The breached accounts comprised the personal information and PHI of active and past residents and personnel including first and last names, certain PHI, Driver’s license numbers and/or Social Security numbers. Impacted persons got free identity theft restoration and credit monitoring assistance.

Steps were undertaken to stop more breaches from happening, which include the use of hard drives on computer systems taken over by the malware and the download of different antivirus and antimalware products on all computers. Staff additionally got further security awareness training.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at