Phishing Attacks on Artesia General Hospital and Carle Foundation Hospital Impact Over 15,000 Patients

Artesia General Hospital located in Artesia, NM had a phishing attack, which resulted in the exposure of the protected health information (PHI) of 13,905 patients.

The discovery of an employee’s email account is utilized for sending unauthorized email messages was a prelude to the discovery of the breach on June 18, 2019. Forensic investigation of the breach showed that the account was accessed by an unauthorized individual from June 11 to June 18.

A well-known computer forensics company looked into the breach but saw no evidence of data theft. Until now, no report has been received concerning the theft or improper use of PHI.

The data included in the email accounts which was potentially exposed are the: names of patients, dates of birth, healthcare record numbers, patient account numbers, health insurance information, and treatment and/or clinical records, such as names of provider, diagnoses, and dates of service. The patients’ Social Security numbers were also likely exposed.

Because of the breach, the hospital enhanced its security awareness training program and even integrated more effective email security. Patients whose Social Security numbers were exposed received free credit monitoring and identity theft protection services.

1,653 Patients of Phishing Attack on Carle Foundation Hospital

Carle Foundation Hospital in Urbana, IL had a phishing attack, which compromised the email accounts of three physicians.

The hospital discovered the data breach on June 24, 2019 and opened up an investigation. Based on the results of the inquiry, the email accounts breach happened three weeks before June 3, 2019. A third-party cybersecurity organization helped the hospital determine that the following information was exposed: names of patients dates of birth, diagnoses, treatment coverage, and clinical information and medical record numbers. Patients who had cardiology or surgical procedure at the hospital were impacted by the breach.

Although there was no evidence that PHI was misused or stolen, the hospital still mailed breach notification letters to the impacted people. To prevent other similar incidents, employees had to go through retraining and email security must be enhanced.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at