Phishing Attacks in NC and TX Expose 30,000 Patients’ PHI

Choice Health Management Services located in Claremont, NC, a rehabilitation services provider and owner of a number of assisted living facilities in South and North Carolina, has suffered an email security breach impacting its staff, and present and old patients.

Choice Health discovered the security breach at the end of 2019 when shady activity was seen in the email accounts of several of its staff. An internal investigation confirmed on January 17, 2020 the suspicious access of 17 workers’ email accounts. Considering that it was not feasible to find out which e-mails and/or file attachments the hackers had accessed, a third-party agency was called in to help with the investigation. Though the investigation was completed on March 27, 2020 saying that the exposed accounts stored sensitive data, it was unsure which locations the impacted people had been to for treatment. It was just on May 12, 2020 that those persons were matched to a specified facility.

The breached accounts comprised a big selection of sensitive data which include names, Social Security numbers,birth dates, passport numbers, driver’s license numbers, credit card details, financial account data, employer identification number, email address and password or connected security questions, username and password or linked security questions, provider name, date of service, patient number, medical record number, medical details, diagnostic or treatment data, surgical details, prescribed medicines, and/or medical insurance data.

Choice Health mailed notification letters to the impacted patients and made sure to strengthen security to avert later data breaches. Based on the HHS’ Office for Civil Rights breach website, there were 11,650 persons impacted.

Phishing Attack on Houston Health Clinic Affects 19,000 Patients

Legacy Community Health, a Houston, TX federally eligible health center, is informing around 19,000 patients concerning the probable unauthorized access of their protected health information (PHI) by an individual who acquired access to the email account of one staff.

On April 10, 2020, a staff answered an email assuming it is a valid request and exposed credentials that granted the hacker access to his/her email account. Legacy Community Health found out about the breach on April 16, 2020 and quickly protected the email account.

Helped by an independent computer forensics agency, Legacy Community Health established that the breach impacted just one email account that was uncovered to include names of patients, dates of service, and medical information linked to the care given at its clinics.

The breach investigation is in progress and notification letters will soon be mailed to all persons whose data were compromised. At this time, there is no proof uncovered that indicate the acquisition or improper use of any patient data.

Legacy Community Health is doing the steps to strengthen email security and has made it possible for multi-factor authentication on its email accounts. More training was additionally given to personnel to help them discern and stay clear of phishing emails.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at