Two separate incidents of email-related data breaches were recently reported to OCR. The covered entities involved were Flexible Benefit Service Corportation (Flex) and Kansas Department for Aging and Disability Services (KDADS). The protected health information of over 16,000 persons was potentially exposed.
Flex is a general agency and benefit administrator for health insurance carriers based in Chicago, IL. It detected a security breach incident on December 6, 2017 due to a phishing attack that gave an unauthorized person access to a corporate email account. Apparently, an employee responded to a phishing email and disclosed his login credentials. Later, it was found that his email account was sending phishing emails.
A third-party forensics team conducted an investigation of the breach to find out the extent of the attack. The investigators found that the attacker’s intention was to gain access to the email account and search for information on invoices, wire payments and wire transfers. This suggested that the attacker was not interested on accessing protected health information but using the account in a BEC attack.
The investigators cannot verify if individual email accounts were opened. If so, the attacker could have viewed 5,123 individual’s PHI including names, phone numbers, addresses, birth dates and Social Security numbers. Flex offered individuals whose PHI was potentially exposed free identity theft protection, recovery and credit monitoring for one year. To tighten the security of Flex, employees were given anti-phishing training and internal security awareness.
Regarding the data breach in Kansas Department for Aging and Disability Services (KDADS), an employee sent an unauthorized email containing the PHI of about 11,000 consumers to several KDADS business associates. All the business associates that received the email already signed a business associate agreement with KDADS, hence they cannot disclose or misuse the shared PHI. They were immediately contacted by KDADS regarding the error and requested to delete or destroy the email message and printed copies of the received information. There were no reports received that show any misuse or disclosure of consumers’ PHI.
The PHI contained in the email that was erroneously sent to business associates included names, addresses, birth dates, genders, Social Security numbers, Medicaid identification numbers and information of in-home services program participation. KDADS revised its organization policies and procedures because of the data breach to avoid similar incidents from happening again. The employee that sent the email by mistake was terminated.