The following email-related breaches in healthcare were reported this week:
Familylinks Inc. data breach
What happened
On November 12, 2024, Familylinks Inc. reported a data breach following suspicious activity in one of its employees' email accounts. Upon investigation, Familylinks discovered that unauthorized access occurred on May 3, 2024, potentially exposing personal and/or protected health information (PHI). The breach was identified after the employee’s email account was compromised, and unauthorized parties accessed sensitive data.
Impact
The information exposed includes individuals' names, driver’s license numbers, Social Security numbers, dates of birth, medical information (including diagnoses and treatment details), and health insurance information (policy numbers) of 3,775 individuals. According to their official press release, "While Familylinks has no evidence that the information potentially involved in this incident has been misused, out of an abundance of caution, Familylinks is informing affected individuals about the steps they can take to help protect their information."
Breach timeline
On May 3, 2024, Familylinks discovered unauthorized access to one of its employee's email accounts. A comprehensive review of the affected data was completed by October 3, 2024, to determine the extent of the compromised information. On November 12, 2024, Familylinks reported the breach to the Office for Civil Rights (OCR).
Liberty Endo, LLC data breach
What happened
Liberty Endo, LLC, a healthcare provider based in New York, reported a data breach on November 13, 2024. The breach was caused by a hacking/IT incident involving unauthorized access to an employee’s email account. Upon discovering the breach, Liberty Endo took immediate action to secure its systems and investigate the incident, though the full scope of the breach is still under review.
Impact
It is likely that the compromised email account contained personal and health information, although the precise details of the data affected are still being determined. This breach affected a reported total of 942 individuals.
Breach timeline
On November 13, 2024, Liberty Endo, LLC reported the data breach to the Office for Civil Rights (OCR). The investigation into the breach is ongoing, with the organization working to confirm the specific details of the compromised information.
Option Care Health data breach
What happened
Option Care Health (“OCH”) discovered a data breach on November 15, 2024, caused by unauthorized access to an employee’s email account. The breach was traced back to July 31, 2024, when an unauthorized party accessed the account, potentially exposing sensitive consumer data, including PHI. OCH conducted a thorough investigation and confirmed that the unauthorized party had access to certain individuals’ PHI.
Impact
The breach affected 2,897 individuals' sensitive health information, including treatment details, medical records, and possibly other personal data. The compromised data varies depending on the individual, but it likely includes information related to patients’ medical treatments, diagnoses, and health insurance.
Breach timeline
On July 31, 2024, unauthorized access to an employee's email account was detected by Option Care Health (OCH). The following day, on August 1, 2024, OCH launched an investigation into the incident. By September 16, 2024, the investigation confirmed that the unauthorized party had accessed PHI. On November 15, 2024, OCH began sendingnotification letters to all affected individuals and reported the incident to the OCR.
How to prevent email-based breaches
- Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
- Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
- Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
- Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.
FAQs
What is the most common cause of email-related data breaches in healthcare?
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Is HIPAA violated if only internal staff emails containing PHI are compromised?
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
What should be included in a healthcare organization’s incident response plan for email breaches?
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.