51,000 Patients’ PHI Exposed Due to Breaches at American Medical Technologies and Kentuckiana Regional Planning & Development Agency

American Medical Technologies based in Irvine, CA, a provider of wound care solutions and medical supplies, reported that an unauthorized person accessed the email account of an employee and most likely viewed and copied the some patients’ protected health information (PHI).

American Medical Technologies discovered the breach on or roughly December 17, 2019 upon detecting suspicious activity in the email account. The investigators of the breach confirmed that the attacker likely obtained access to PHI including names, Social Security numbers, medical record numbers, diagnosis data, subscriber numbers, medical insurance policy numbers, medical histories, HIPAA account details, taxpayer ID numbers and driver’s license/state identification numbers. There is no evidence found that indicates the viewing or theft of information in the attack. However, unauthorized access or exfiltration of data cannot be ruled out.

A thorough email account analysis was done and completed on May 14, 2020. According to the review, the account held the PHI of 47,767 patients. American Medical Technologies already mailed notification letters to the patients concerning the breach and offered them free credit monitoring services.

After the breach, American Medical Technologies hired two third-party security companies to review the email security and implemented additional security measures as per their advice. The improvements included data security on the company’s web server infrastructure.

Phishing Attack at Kentuckiana Regional Planning & Development Agency

Kentuckiana Regional Planning & Development Agency (KIPDA) based in Louisville, KY discovered that an unauthorized person accessed one email account. On February 18, 2020, KIPDA discovered the breach when KIPDA there were lots of email messages sent from the account. KIPDA secured the account immediately and investigated the incident to find out the nature and magnitude of the breach.

With the assistance of a third-party digital forensics company, KIPDA confirmed the unauthorized access of the email account from January 29, 2020 to February 14, 2020. The investigators further confirmed on April 9, 2020 the potential viewing or copying of PHI of 3,663 patients, though they could not tell which of the email messages in the account, if any, were accessed.

The emails and email attachments contained the following PHI: names, addresses, birth dates, diagnosis and treatment details, billing and process codes, and Medicaid ID number. Some patients’ Social Security numbers and/or driver’s licenses were also exposed.

KIPDA stated in a substitute breach notice that they are taking the following steps to strengthen security:

  • changing password more frequently
  • implementing 2-factor authentication on the email accounts
  • using secure data files for saving sensitive information
  • updating policies and procedures on the regular and secure deletion of email data from the email accounts
  • giving further HIPAA training to employees on methods and cybersecurity as well as the risks involved in sharing sensitive information through email

KIPDA is also thinking about setting access limits to its network to people based in the United States.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA