Email-related breaches often expose sensitive personal information, putting organizations and patients at risk. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following email-related breaches in healthcare were reported this week:
Embody Performance & Recovery breach
What happened
Embody Performance & Recovery, a healthcare provider based in Washington, DC, recently discovered that unauthorized individuals accessed employee email accounts. The breach occurred when a phishing attack targeted employees, leading to compromised email accounts. The attack allowed the unauthorized third party to access sensitive information stored in the emails.
Related: Tips to spot phishing emails disguised as healthcare communication
Data impacted
The compromised emails contained a wide range of sensitive personal information, including names, Social Security numbers, and medical information such as diagnoses and treatment details. This breach affected 800 individuals, placing them at risk for identity theft and other forms of fraud.
Breach timeline
The phishing attack was discovered in mid-September 2024, and an investigation was initiated immediately. By the time the breach was confirmed, the affected individuals were notified. The breach was reported to the Office for Civil Rights (OCR) on November 4, 2024.
Universal Health Corporation breach
What happened
Universal Health Corporation, a medical group based in Roanoke, VA, also experienced unauthorized access to employee email accounts. The breach was identified around July 29, 2024, when the organization noticed suspicious activity within its email system. The breach was linked to a compromise of email credentials, which gave unauthorized individuals access to sensitive patient data.
Data impacted
The breach involved a wide range of protected health information (PHI), including names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record and patient ID numbers, health insurance details (including Medicare/Medicaid), medical diagnoses, treatment information, prescription details, healthcare provider names, and test results. A total of 583 individuals were affected, putting them at risk for identity theft, fraud, and misuse of sensitive health information.
Breach timeline
Universal Health Corporation discovered the breach in late July 2024. The organization completed its investigation by September 24, 2024, and reported the incident to the OCR on November 6, 2024.
How to prevent email-based breaches
- Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
- Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
- Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
- Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.
FAQs
What is the most common cause of email-related data breaches in healthcare?
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Is HIPAA violated if only internal staff emails containing PHI are compromised?
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
What should be included in a healthcare organization’s incident response plan for email breaches?
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.
Liyanda Tembani
