Phishing Attack on HIPAA Business Associate Northwood Inc Impacts 15,000 Patients

HIPAA business associate Northwood Inc. based in Madison Heights, MI has reported that its email account was hacked by one of its employees who could have viewed or acquired sensitive patient data.

Northwood Inc discovered the breach on May 6, 2019 when it investigated suspicious activity in connection with an employee’s email account. Upon confirmation that a breach occurred, a hired computer forensics specialist investigated the incident to know the nature and magnitude of the breach.

According to the findings of the forensic investigation, an unauthorized person(s) accessed the employee’s email account starting May 3 until May 6. Though there was no evidence that emails were viewed or copied, it cannot be ruled out that there was no data access or data theft.

All email messages and attachments in the account were reviewed to know if they contained patient data. On June 19, Northwood confirmed the expoure of patients’ protected health information (PHI) including a patient’s name together with one or more of these data elements: address, birth date, name of provider, dates of service, patient ID number, health record number, diagnosis and diagnosis codes, description of medical device, treatment data, and health plan membership number. The driver’s license number, Social Security number and health insurance provider name of some patients were also exposed.

Northwood provided the affected patients with durable medical devices or managed their devices. The information contained in the compromised email account involved the healthcare providers and their exclusion standing with the CMS.

When Northwood discovered the breach, the compromised account was disabled. It also reset the password of the email accounts of all employees as a safety precaution. Employees received further training on identifying email threats. Email security has been upgraded. Northwood already mailed notifications to all patients affected by the breach and offered them free credit monitoring services.

Northwood submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights as four distinct incidents. Each incident affected 583, 3881, 5000 and 5563 patients, totaling 15,027 patients.