PHI Exposed Due to Centura Health Email Compromise and Columbus Community Hospital Phishing Attack

Centura Health, a health system established in Centennial, CO, sent notifications to 7,515 patients concerning the potential compromise of their PHI because of an email security breach.

Centura Health became aware of the breach on April 16, 2019 and secured the email account affected without delay. Investigation into the breach confirmed the unauthorized access of the account by a person who may have seen or copied patient records included in the email communications and file attachments. Although there is no indication that PHI was accessed, stolen or misused, Centura Health send to patients breach notifications as a protective measure starting May 22, 2019.

The patient data that was exposed during the breach included names, birth dates, demographic details, account number, health record number, service dates, treating physician, health services acquired, medical device given, and other clinical details. The exposed information did not include health insurance information, financial details, or Social Security numbers.

To avoid the occurrence of more email security breaches in the future, Centura Health took some vital actions . Employees were given retraining specifically about email security. The usage of strong passwords was enforced and email security was strengthened.

Columbus Community Hospital located in Columbus, WI, is notifying some patients regarding the exposure of some of their PHI because one of its business associates suffered a phishing attack.

OS Inc, which provides claims management service to Columbus Community Hospital reported on April 8, 2019 that an unauthorized person had accesed an employee’s email account and could have viewed patient data.

The compromised email account contained information such as names, hospital account numbers, insurance company names, summaries of charges, and types of service. The insurance ID number and/or Social Security number of some patients were likewise exposed. Investigators had not found any evidence that data was accessed, stolen, or misused to date.

OS Inc serves many other hospitals and, so far, there is no mention of other hospitals or patients being affected by the breach. The HHS’ Office for Civil Rights has not yet published the breach incident on its website and the exact number of persons affected is still unknown.