Three Email Hacking Incidents Potentially Exposed 8,600 Patients’ PHI

Three healthcare organizations reported potential breaches of patients’ protected health information (PHI) because of unauthorized persons gaining access to their employees’ email accounts. For the three incidents, 8,635 patients were affected.

The first incident involved Center for Sight and Hearing based in Rockford, IL. An unauthorized person accessing an employee’s email account was discovered on January 23, 2019. The breach of account containing 5,319 patients’ PHI happened on January 18.

A third-party computer forensics firm investigating the incident affirmed on February 21, 2019 the inclusion of information such as names, addresses, and patient schedule details in the compromised email account. To enhance security, Center for Sight and Hearing employed multi-factor authentication and a new password management system.

The second incident involved Harbor Behavioral Health, which is a group of counselling and mental health treatment centers in Northwest Ohio. On February 13, 2019, Harbor Behavioral Health discovered that an unauthorized person accessed an employee’s email account.

A third-party computer forensics company found out that the hacker accessed the account for three months from December 2018 to February 2019 and another email account was compromised.

Unauthorized access to the two compromised accounts was promptly terminated. The accounts were secured and analyzed. It was found out that names, birth dates, health insurance information, and information associated to Harbor’s services were contained in the account. Some patients’ Social Security numbers and driver’s license numbers were likewise exposed. The breach affected the PHI of 2,290 patients.

Harbor Behavioral Health offered free credit monitoring and identity theft protection services to the patients who had their Social Security number or driver’s license number exposed. In addition, Harbor implemented controls to stop unauthorized access using external IP addresses, improved log reviews and the regularity of automated notifications, and toughened its security processes. Employees had additional training to help them identify and prevent phishing emails.

The third incident was an unauthorized access of a Dakota County employee’s email account by a hacker potentially affecting 1,026 individuals. The county discovered the breach on February 13, 2019 and secured the account immediately.

For safety, all employee email accounts were subjected to a forced password reset to make sure no other accounts will be accessed, though the investigation affirmed that just one account was exposed. Third-party cybersecurity experts conducted an investigation and confirmed the access of the account. It was undetermined if any emails were viewed or copied.

The compromised account contained Dakota County Social Services information such as names, addresses, driver’s license numbers, Social Security numbers, medical insurance details, medical histories, diagnoses, and treatment data.

Affected individuals received free identity protection services and received breach notification letters on April 12, 2019. Dakota County likewise improved its email security defenses to stop other attacks.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at