Email Account Breach Reports by Meharry Medical College and MEDNAX Services

Meharry Medical College located in Nashville, TN found an email account breach that possibly allowed unauthorized persons to get access or steal the protected health information (PHI) of up to 20,983 patients.

Meharry Medical College found out about the breach approximately July 28, 2020 and secured the account right away. Third-party technical experts inspected the breach and reported that just one email account was affected. On September 1, 2020, the detectives explained that due to the nature of the breach, the hackers likely copied the email account contents, perhaps inadvertently in the process of the routine email synchronization process.

An analysis of the email account content revealed that it help information such as the complete names of patients, dates of birth, internal patient account numbers, provider names, diagnoses/diagnostic codes, and other medical details. Some patients’ Social Security numbers, Medicare/Medicaid numbers, and medical insurance information were likewise included.

Meharry Medical College provided free identity theft protection services to those who had a Social Security number possibly compromised.

MEDNAX Services Inc. Phishing Attack Potentially Compromised PHI

MEDNAX Services Inc in Sunrise, FL is the provider of cycle management and selected administrative services to an associated physician practice network. On June 19, 2020, the provider became aware that unauthorized individuals had accessed its email system hosted by Microsoft Office 365 after employees that received phishing emails responded to them.

A national forensic company assisting MEDNAX reported that a number of business email accounts were compromised from June 17, 2020 to June 22, 2020. The compromised accounts were not connected to the MEDNAX internal network and systems. An analysis of the affected email accounts indicated that they contained information such as patient and guarantors’ names, email addresses, mailing addresses, dates of birth, state ID numbers, driver’s license numbers, Social Security numbers, financial details, health insurance details, clinical and treatment details, Medicare/Medicaid numbers, and invoicing and claims records. MEDNAX cannot ascertain which patient files, if any, were accessed by unauthorized persons.

MEDNAX provided complimentary identity monitoring services for one year to the persons affected by the breach. In addition, the provider evaluated its security controls and implemented measures to strengthen security to prevent other breaches from this time on.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA