Insurance Fraud NEWS

Coalition Against Insurance Fraud

United Hospital district reports June 2018 breach from phishing attack

February 14, 2019, St. Paul, MN — Minnesota-based United Hospital District is notifying 2,143 patients that their data was compromised during a June 2018 phishing attack.

According to officials, the breach occurred for about two weeks from June 10 and June 27, 2018. The investigation into the security incident concluded on December 12. However, officials did not disclose when the breach was first discovered.

Under HIPAA, providers must notify the Department of Health and Human Services within 60 days upon breach discovery. It’s unclear whether officials simply did not know patient data was compromised until December, or if there was another reason for the delay. UDH did not respond to a request for comment by time of publication.

The investigation determine one employee email account was compromised in the cyberattack. The account contained patient names, addresses, health insurance details, and or patient identifiers. For some patients, medical diagnostic information or Social Security numbers were included.

The patients with breached Social Security numbers will receive a year of free credit monitoring and identity theft restoration services.

UDH has since taken steps to reduce the risk of a future incident, including implementing additional employee training and security measures.

A phishing attack on Pawnee County Memorial Hospital potentially compromised the data of 7,038 patients.

On November 29, officials discovered a malware virus infected its business email system and launched an investigation with help from an outside forensics team. They determined an employee received a phishing email that appeared to be from a trusted source. When opened, the malware was activated.

As a result, hackers were able to access the PCMH email accounts for about a week between November 16 and November 24. The EHR was not impacted by the malware.

The employee email accounts are used for patient care and hospital operations and therefore contained emails and or attachments with internal business records, clinical reports and summaries, and other protected health information documents.

The compromised data included patient names, addresses, dates of birth, service dates, medical record numbers, clinical information like diagnoses and lab results, insurance details, and driver’s licenses or state IDs. Some patients did have their Social Security numbers breached in the security incident.

Officials reset all employee email passwords after the attack, and they continue to work with a forensics team to add technology safeguards. PCMH will also continue to evaluate its practices and bolster security where appropriate.

On December 14, an individual broke into an Anesthesia Associates of Kansas City employee’s vehicle and stole a bag containing patient schedules, potentially breaching the data of 3,472 patients.

The theft was reported to law enforcement, but the bag and contents have not been recovered. AAKC’s investigation determined the stolen paperwork contained some patient names, dates of birth, types and dates of surgery, and the name of the patient’s surgeon.

Social Security numbers, addresses, insurance, and financial data were not contained in the documents. Not all AAKC patients were impacted, but officials “notified certain patients who underwent surgeries from April 4, 2018 to December 14, 2018.”

“To help prevent something like this from happening in the future, we’ve reinforced our policy prohibiting the non-essential removal of patient information from the facility and implemented new requirements designed to safeguard patient data, if there is a necessary reason to take information out of the facility,” officials said in a statement.

Source: Health IT Security

< Back to stories list