– South Carolina-based Palmetto Health is notifying 23,811 patients of a potential breach, caused by a phishing attack in November 2018.
According to the notification, Palmetto officials discovered the phishing attack on its employee email accounts that gave a hacker unauthorized access to individual email inboxes. Upon discovery, account access was blocked and third-party technical experts were hired to investigate the scope of the incident.
The investigation determined access first occurred in November. Officials said they also examined whether patient data was contained in the breached emails and were “hand reviewed” to obtain patient names and addresses “for use in notification.”
“We believe the purpose of the unauthorized access was to gain access to payroll information,” officials said in a statement.
On February 19, 2019, officials concluded the investigation that determined the compromised accounts contained names and other patient data used by providers in the course of providing treatment. Officials said a “lesser portion” of the emails contained Social Security numbers and insurance information. Those patients whose financial data was compromised will receive free identity theft protection services.
Meanwhile, California-based Women’s Health USA recently reported a similar breach caused by a phishing attack. About 17,500 patients were notified that their personal data was potentially compromised after some Women’s Health employees fell victim to targeted phishing attacks.
Officials said they began notifying some of their health provider clients that the investigation into the phishing attack had concluded, on March 15. The investigation determined some employees were tricked into providing their email account credentials by the hackers. Those accounts were secured upon discovery.
An outside forensics team assisted with the investigation, which found hackers may have been able to access the emails and attachments contained in the two compromised email accounts between April 5, 2018 and August 13, 2018.
The breached data varied by patient, but could have included names, dates of birth, Social Security numbers, Medicaid Health Insurance Claim Numbers, health insurance policy numbers, diagnoses, and treatment details. Women’s Health has since updated its email system’s security and will provide employees additional phishing and cybersecurity education.
Neither of the breach notifications revealed when the breaches were first discovered. It’s important to note that under HIPAA, providers are mandated to report breaches within 60 days of discovery and not upon concluding an investigation.
These providers join an increasing trend of organizations either reporting breaches longer than 60 days after discovery or failing to detect a breach for an extended period of time. The most notable and recent being Wolverine Solutions Group, which completed its “rolling” notifications in March around a ransomware attack that hit the vendor in September.