Email-related breaches often expose sensitive personal information, putting organizations and patients at risk. Despite advances in cybersecurity, healthcare organizations remain vulnerable to attacks, largely due to the valuable nature of the data they hold. The following email-related breaches in healthcare were reported this week:
Embody Performance & Recovery, a healthcare provider based in Washington, DC, recently discovered that unauthorized individuals accessed employee email accounts. The breach occurred when a phishing attack targeted employees, leading to compromised email accounts. The attack allowed the unauthorized third party to access sensitive information stored in the emails.
Related: Tips to spot phishing emails disguised as healthcare communication
The compromised emails contained a wide range of sensitive personal information, including names, Social Security numbers, and medical information such as diagnoses and treatment details. This breach affected 800 individuals, placing them at risk for identity theft and other forms of fraud.
The phishing attack was discovered in mid-September 2024, and an investigation was initiated immediately. By the time the breach was confirmed, the affected individuals were notified. The breach was reported to the Office for Civil Rights (OCR) on November 4, 2024.
Universal Health Corporation, a medical group based in Roanoke, VA, also experienced unauthorized access to employee email accounts. The breach was identified around July 29, 2024, when the organization noticed suspicious activity within its email system. The breach was linked to a compromise of email credentials, which gave unauthorized individuals access to sensitive patient data.
The breach involved a wide range of protected health information (PHI), including names, Social Security numbers, addresses, dates of birth, driver’s license numbers, medical record and patient ID numbers, health insurance details (including Medicare/Medicaid), medical diagnoses, treatment information, prescription details, healthcare provider names, and test results. A total of 583 individuals were affected, putting them at risk for identity theft, fraud, and misuse of sensitive health information.
Universal Health Corporation discovered the breach in late July 2024. The organization completed its investigation by September 24, 2024, and reported the incident to the OCR on November 6, 2024.
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.