Phishing Attack on Alive Hospice and Flexcare LLC Potentially Compromised Sensitive Data

Alive Hospice is a provider of palliative care, end-of-life care, bereavement support and community education in Nashville, TN. It publicly announced the unauthorized access of an employee’s email account in May 2019.

Alive Hospice noticed the suspicious activity in the email account of an employee around May 6, 2019. This triggered the change of the account password immediately and the beginning of an investigation into the reason for the breach.

According to the investigation findings, the hackers first accessed only one email account on May 4, 2019 and had access to it for two days. Though there was unauthorized access of the account, there was no evidence that suggest the access or theft of any patient information.

There was varying types of patient information contained in the email messages and email attachments, which may have included PHI, such as the patient’s name, birth date, Social Security number, financial account number, driver’s license number, medical history, treatment data, prescription details, treating or referring doctor data, Medicare or Medicaid number, medical record number, medical insurance information, username/email and password details.

Alive Hospice has reviewed its security protections and additional safety measures will be implemented to stop further attacks. Affected persons received free credit monitoring and identity theft protection services.

Alive Hospice already reported the breach to the Department of Health and Human Services’ Office for Civil Rights. However, the incident is not yet published on the OCR breach website, thus the number of affected individuals is currently unknown.

Another phishing attack on a Californian Medical Staffing Agency called Flexcare LLC was discovered. The email account of just one employee was compromised because of responding to a phishing email. Unusual activity in the email account was detected shortly after the receipt of phishing email. The email security team automatically shut down the account.

Computer forensic professionals helped assess the breach and figure out if the attacker viewed or copied any PHI after accessing the employee’s email account. In spite of the immediate shut down of the account, the investigation affirmed the unauthorized access of the account. Even if there is no proof of data access or theft, the forensics investigators determined that that the attacker could have viewed or copied patients’ PHI.

A detailed email account analysis revealed that the following PHI of the affected patients were exposed: name together with one or more information such as address, birth date, Social Security number, driver’s license number, medical data for instance vaccination history, drug test findings, and answers to yearly health questionnaire.

Flexcare employees will receive further training about email and network security. The agency also implemented multi-factor authentication and provided affected persons with complimentary membership to CyberScout credit monitoring and identity theft protection services for 12 months.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone