PHI Compromised Due to Cyberattacks on HME Specialists and Sapphire Community Health

An email security breach at HME Specialists LLC, doing business as Home Medical Equipment Holdco, resulted in the potential compromise of the protected health information (PHI) of 153,013 people.

HME Specialists found suspicious activity within its email system and quickly protected all affected email accounts and hired an expert cybersecurity firm to perform a forensic investigation to find out the magnitude and nature of the data breach. The cybersecurity company reported on March 11, 2021 that some compromised email accounts stored PHI and that unauthorized individuals accessed the email accounts from June 24 to July 14, 2020.

The accounts included data like names, birth dates, diagnosis and/or other clinical data, as well as some driver’s license numbers, Social Security numbers, credit card numbers, account details and usernames and passwords. There is no specific proof found that suggests the attacker acquired or misused any data in the compromised accounts.

HME Specialists mailed notifications to the affected people who had a current address in the database and instructed them to keep track of their financial accounts and explanation of benefits and watch out for fraudulent transactions. Free credit monitoring services were provided to all people who had their Social Security numbers exposed.

Extra technical safety measures were put in place for employee email accounts such as multifactor authentication, and more employee training to increase attention to the dangers of malicious emails.

Sapphire Community Health Experiences Ransomware Attack

SapPHIre Community Health based in Hamilton, MT has encountered a ransomware attack that resulted in the potential compromise of the PHI of 4,000 patients. The provider discovered the attack on February 18, 2021 when employees were unable to access files. Data systems were de-activated to control the problems caused. Proper scanning and recovery steps were undertaken.

The breach did not impact the medical record system, however, a number of the encrypted files with patient information like names, addresses, and birth dates and, the financial account data and/or Social Security numbers for a few people were exposed.

The investigators of the incident did not find any evidence that suggests the attackers had exfiltrated any patient data before using the ransomware. All impacted people have already received their breach notification letters. More security measures were put in place to stop more attacks.

About Christine Garcia 1200 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA