The following email-related breaches in healthcare were reported this week:
On November 18, 2024, Village Pharmacy Group, a healthcare provider based in Massachusetts, reported a data breach affecting 584 individuals. The breach, classified as a hacking/IT incident, occurred when unauthorized access was gained to an employee's email account.
The compromised email account contained sensitive data, potentially exposing personal and protected health information (PHI). Village Pharmacy Group has yet to disclose the exact types of data involved, but email-related breaches often include names, contact information, and medical details.
The incident was reported to the Office for Civil Rights (OCR) on November 18, 2024. Investigations into the breach are ongoing to determine the full scope of the impact.
On November 20, 2024, Enso Counseling Group, PLLC, a healthcare provider in New Hampshire, disclosed a hacking incident involving an employee’s email account. The breach affected 850 individuals.
Sensitive personal and health information contained in the compromised email account was potentially exposed. The types of PHI involved remain undisclosed, but Enso Counseling Group has confirmed that affected individuals will be notified in compliance with HIPAA.
Enso Counseling Group reported the incident to the OCR on November 20, 2024. The investigation is ongoing, and the organization is working to enhance its email security protocols to prevent future breaches.
York County in Pennsylvania reported unauthorized access to an employee’s email account on November 20, 2024. Suspicious activity was first identified on September 20, 2024, prompting an immediate response to secure the account.
The compromised email account contained names, addresses, and medical information. The review of emails and attachments is still in progress, and the number of affected individuals has yet to be finalized. An interim figure of 501 individuals was submitted to the OCR.
After suspicious activity was detected on September 20, 2024, York County secured the affected email account and began analyzing the compromised data. On November 20, 2024, the county submitted an interim breach report to the OCR.
East Paris Internal Medicine Associates, PC, based in Michigan, reported a breach on November 22, 2024, involving unauthorized access to an email account.
The breach involved unauthorized disclosure of sensitive personal and medical data via email. It exposed the PHI of 5,239 individuals as reported to the OCR.
East Paris Internal Medicine Associates discovered the email-related breach and reported it to the OCR on November 22, 2024. According to East Paris’s Notice of Privacy Practices, they had the following provision for the Privacy Rule, “You have the right to receive a privacy breach notice - You have the right to receive written notification if the practice discovers a breach of your unsecured PHI, and determines through a risk assessment that notification is required.”. The organization has begun notifying affected individuals as part of its compliance with the HIPAA Breach Notification Rule.
Atlantic Orthopaedic Specialists, also known as Vann Virginia Center for Orthopaedics, discovered unauthorized access to an email account on August 6, 2024. The breach involved unauthorized access to files between June 20 and August 6, 2024.
Names and Social Security numbers of 1,5264 patients were potentially exposed. Affected individuals began receiving notifications on November 22, 2024.
The unauthorized access to email accounts occurred between June 20 and August 6, 2024. Atlantic Orthopaedic Specialists completed a detailed forensic investigation on October 28, 2024, confirming the potential exposure of PHI. Notifications were sent to affected individuals starting November 22, 2024, alongside the OCR breach report.
Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.
Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.
An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.