A phishing attack on Women’s Health USA Inc. resulted to the compromise of patients’ protected health information (PHI). Women’s Health USA Inc. is a business associate based in Avon, CT that offers healthcare organizations a selection of practice management services.

An investigation was started right after Women’s Health USA discovered suspicious activity in some email accounts of employees. The organization secured the compromised email accounts and called in a top rated cybersecurity company to help investigate the incident and find out the nature and magnitude of the breach.

According to the investigation results, two employees’ email accounts were accessed by unauthorized persons after the employees responded to phishing emails and exposed their email account credentials. Two email account breaches happened on April 5, 2018 and August 13, 2018.

The investigators reviewed the emails and the attachments contained in the compromised email accounts. They found a limited quantity of protected health information (PHI) exposed including patients’ names, birth dates, health insurance policy number, Medicare Health Insurance Claim Number (HICN), diagnosis data, treatment details, and Social Security number, but the exposed information differed from one patient to another.

Women’s Health USA informed all the healthcare provider clients that the breach affected on March 15, 2019. The organization sent breach notification letters to the affected patients starting on March 29, 2019.

All employees underwent additional training on identification of phishing emails and awareness of other cybersecurity problems. Additional security options were implemented to strengthen email security.

Women’s Health USA already reported the data breach caused by a phishing attack to the Department of Health and Human Services’ Office for Civil Rights. The summary posted on its the OCR breach portal indicates there were 17,531 patients impacted by the breach.