The following email-related breaches in healthcare were reported this week:
Village Pharmacy Group data breach
What happened
On November 18, 2024, Village Pharmacy Group, a healthcare provider based in Massachusetts, reported a data breach affecting 584 individuals. The breach, classified as a hacking/IT incident, occurred when unauthorized access was gained to an employee's email account.
Impact
The compromised email account contained sensitive data, potentially exposing personal and protected health information (PHI). Village Pharmacy Group has yet to disclose the exact types of data involved, but email-related breaches often include names, contact information, and medical details.
Breach timeline
The incident was reported to the Office for Civil Rights (OCR) on November 18, 2024. Investigations into the breach are ongoing to determine the full scope of the impact.
Enso Counseling Group, PLLC data breach
What happened
On November 20, 2024, Enso Counseling Group, PLLC, a healthcare provider in New Hampshire, disclosed a hacking incident involving an employee’s email account. The breach affected 850 individuals.
Impact
Sensitive personal and health information contained in the compromised email account was potentially exposed. The types of PHI involved remain undisclosed, but Enso Counseling Group has confirmed that affected individuals will be notified in compliance with HIPAA.
Breach timeline
Enso Counseling Group reported the incident to the OCR on November 20, 2024. The investigation is ongoing, and the organization is working to enhance its email security protocols to prevent future breaches.
York County email breach
What happened
York County in Pennsylvania reported unauthorized access to an employee’s email account on November 20, 2024. Suspicious activity was first identified on September 20, 2024, prompting an immediate response to secure the account.
Impact
The compromised email account contained names, addresses, and medical information. The review of emails and attachments is still in progress, and the number of affected individuals has yet to be finalized. An interim figure of 501 individuals was submitted to the OCR.
Breach timeline
After suspicious activity was detected on September 20, 2024, York County secured the affected email account and began analyzing the compromised data. On November 20, 2024, the county submitted an interim breach report to the OCR.
East Paris Internal Medicine Associates data breach
What happened
East Paris Internal Medicine Associates, PC, based in Michigan, reported a breach on November 22, 2024, involving unauthorized access to an email account.
Impact
The breach involved unauthorized disclosure of sensitive personal and medical data via email. It exposed the PHI of 5,239 individuals as reported to the OCR.
Breach timeline
East Paris Internal Medicine Associates discovered the email-related breach and reported it to the OCR on November 22, 2024. According to East Paris’s Notice of Privacy Practices, they had the following provision for the Privacy Rule, “You have the right to receive a privacy breach notice - You have the right to receive written notification if the practice discovers a breach of your unsecured PHI, and determines through a risk assessment that notification is required.”. The organization has begun notifying affected individuals as part of its compliance with the HIPAA Breach Notification Rule.
Atlantic Orthopaedic Specialists data breach
What happened
Atlantic Orthopaedic Specialists, also known as Vann Virginia Center for Orthopaedics, discovered unauthorized access to an email account on August 6, 2024. The breach involved unauthorized access to files between June 20 and August 6, 2024.
Impact
Names and Social Security numbers of 1,5264 patients were potentially exposed. Affected individuals began receiving notifications on November 22, 2024.
Breach timeline
The unauthorized access to email accounts occurred between June 20 and August 6, 2024. Atlantic Orthopaedic Specialists completed a detailed forensic investigation on October 28, 2024, confirming the potential exposure of PHI. Notifications were sent to affected individuals starting November 22, 2024, alongside the OCR breach report.
How to prevent email-based breaches
- Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
- Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
- Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
- Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.
FAQs
What is the most common cause of email-related data breaches in healthcare?
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Is HIPAA violated if only internal staff emails containing PHI are compromised?
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
What should be included in a healthcare organization’s incident response plan for email breaches?
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.
Liyanda Tembani
