Sunrise Treatment Center located in Cincinnati, OH is notifying 3,660 patients about the potential unauthorized access of some of their protected health information (PHI) contained in an employee’s email account. The breach happened on February 26, 2020 and it was discovered the next day.
On April 15, 2020, the forensic experts concluded the breach investigation and confirmed the inclusion of patient information in the email account. The following types of information were found: first and last names, dates of birth, descriptions of provided treatment, prescribed medicines, treatment dates, some Social Security numbers, health plan numbers and account balances.
Though the attackers may have accessed patient information, the intent behind the attack was an attempt to get Sunrise employees to send cash to a foreign bank account. The company detected a fake wire transfer and stopped it so Sunrise accounts lost no money.
Sunrise did not find any evidence that indicates the access or copying of patient data resulting from the attack. However, as a safety measure, Sunrise offered free 12-months credit monitoring membership to the affected patients. After the breach, a third-party expert conducted an extensive security assessment and implemented more safety measures to stop other attacks.
Business Associate Phishing Attack Impacts Gateway Health Members
Gateway Health in Pennsylvania, a managed care organization, found out about the potential compromise of the PHI of some of its members.
Gateway Health employs the services of National Imaging Associates (NIA) to assess requests for imaging services. NIA discovered a breach of its systems on April 11, 2020 and that an unauthorized person had accessed its email system. The investigation affirmed that the hacker was able to access emails after a phishing email response.
The compromised emails contained information of Gateway Health members’ names, birth dates, treatment data, Gateway ID numbers, payment and health plan details.
The hacker used the compromised email account to carry out other phishing attacks. There is no evidence found that indicates the access or theft of Gateway Health members’ data. There are also no reports received concerning the misuse of members’ personal data and PHI.
NIA already took steps to enhance security and offered free 12-months credit monitoring membership to all Gateway Health members affected by the breach.
Improper Disposal Incident Reported By Hanger Clinic
Hanger Prosthetics & Orthotics, Inc., dba Hanger Clinic, found out that its Kirksville, Missouri storage facility had an improper disposal incident involving boxes of files with patient documents.
Upon learning about the incident, Hanger Clinic sent its staff to the storage facility to gather the remaining patient records. Now, no one is using the storage facility.
The information of 6,033 patients included in the records were patient names, addresses, birth dates, medical record numbers, dates of service, treatment histories, prescription details, copies of driver’s licenses, insurance data, and Social Security numbers.
As a safety measure against identity theft and fraud, Hanger Clinic offered to the affected patients free identity theft protection and credit monitoring services.