The following email-related breaches in healthcare were reported this week:
On November 12, 2024, Familylinks Inc. reported a data breach following suspicious activity in one of its employees' email accounts. Upon investigation, Familylinks discovered that unauthorized access occurred on May 3, 2024, potentially exposing personal and/or protected health information (PHI). The breach was identified after the employee’s email account was compromised, and unauthorized parties accessed sensitive data.
The information exposed includes individuals' names, driver’s license numbers, Social Security numbers, dates of birth, medical information (including diagnoses and treatment details), and health insurance information (policy numbers) of 3,775 individuals. According to their official press release, "While Familylinks has no evidence that the information potentially involved in this incident has been misused, out of an abundance of caution, Familylinks is informing affected individuals about the steps they can take to help protect their information."
On May 3, 2024, Familylinks discovered unauthorized access to one of its employee's email accounts. A comprehensive review of the affected data was completed by October 3, 2024, to determine the extent of the compromised information. On November 12, 2024, Familylinks reported the breach to the Office for Civil Rights (OCR).
Liberty Endo, LLC, a healthcare provider based in New York, reported a data breach on November 13, 2024. The breach was caused by a hacking/IT incident involving unauthorized access to an employee’s email account. Upon discovering the breach, Liberty Endo took immediate action to secure its systems and investigate the incident, though the full scope of the breach is still under review.
It is likely that the compromised email account contained personal and health information, although the precise details of the data affected are still being determined. This breach affected a reported total of 942 individuals.
On November 13, 2024, Liberty Endo, LLC reported the data breach to the Office for Civil Rights (OCR). The investigation into the breach is ongoing, with the organization working to confirm the specific details of the compromised information.
Option Care Health (“OCH”) discovered a data breach on November 15, 2024, caused by unauthorized access to an employee’s email account. The breach was traced back to July 31, 2024, when an unauthorized party accessed the account, potentially exposing sensitive consumer data, including PHI. OCH conducted a thorough investigation and confirmed that the unauthorized party had access to certain individuals’ PHI.
The breach affected 2,897 individuals' sensitive health information, including treatment details, medical records, and possibly other personal data. The compromised data varies depending on the individual, but it likely includes information related to patients’ medical treatments, diagnoses, and health insurance.
On July 31, 2024, unauthorized access to an employee's email account was detected by Option Care Health (OCH). The following day, on August 1, 2024, OCH launched an investigation into the incident. By September 16, 2024, the investigation confirmed that the unauthorized party had accessed PHI. On November 15, 2024, OCH began sendingnotification letters to all affected individuals and reported the incident to the OCR.
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.