Healthcare email breach roundup: Week of 9/30/24

Email-related breaches often expose sensitive personal information, putting organizations and patients at risk. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following email-related breaches in healthcare were reported this week:

Related: Why HIPAA breaches related to email are so common

Connally Memorial Medical Center breach

What happened

Connally Memorial Medical Center recently experienced a data breach involving unauthorized access to an employee’s email account. On July 29, 2024, the hospital discovered that an unknown individual had gained access to sensitive personal information stored in its email system. The hospital immediately launched an investigation to determine the scope of the breach.

Data impacted

The compromised information included names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical information such as diagnoses, treatment details, patient ID numbers, and health insurance information, including Medicare or Medicaid numbers. This incident affected 1228 individuals, putting them at risk of identity theft and other forms of fraud. 

Breach timeline

The breach was first detected in late July, with Connally Memorial posting a notice of the incident on September 27, 2024and reporting it to the OCR on September 30, 2024. 

Seven Counties Services phishing attack

What happened

Seven Counties Services experienced a phishing attack that compromised multiple employee email accounts. The phishing emails posed as trusted sources and tricked employees into providing access to their accounts. On August 12, the organization’s IT department discovered the breach and took immediate action to secure the compromised accounts. 

Data impacted

The compromised emails contained demographic, financial, and clinical protected health information. Specific data included names, dates of birth, Social Security numbers, addresses, phone numbers, email addresses, diagnoses, and dates of service. Any email that contained PHI or attachments with this information could have been compromised, leaving patients vulnerable to identity theft.

Breach timeline

The phishing attack began on July 19, 2024. It was detected and contained by August 12, 2024, and was submitted to the OCR on October, 4th. 

Related: Tips to spot phishing emails disguised as healthcare communication

How to prevent email-based breaches

• Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
• Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
• Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
• Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.

FAQs

What is the most common cause of email-related data breaches in healthcare?

Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.

Is HIPAA violated if only internal staff emails containing PHI are compromised?

Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.

What should be included in a healthcare organization’s incident response plan for email breaches?

An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.