On November 16, 2018, Southwest Washington Regional Surgery Center submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in Vancouver, Washington, Southwest Washington Regional Surgery Center’s email breach affected 2,393 individuals’ protected health information. Southwest Washington, Regional Surgery Center, is classified as a Healthcare Provider. According to this report about Southwest Washington Regional Surgery Center’s breach:
Southwest Washington Regional Surgery Center in Vancouver, WA, has suffered a phishing attack that has resulted in the exposure of 2,393 patients’ protected health information. The breach was confined to a single email account and no evidence was uncovered to suggest any emails have been accessed or downloaded by the attacker. An extensive investigation was conducted with assistance provided by a third-party cybersecurity firm. The investigation concluded on September 25. The investigation included a manual review of all emails in the compromised account to identify patients affected and the types of information that may have been compromised. Southwest Washington Regional Surgery Center explained in its breach notice that the beach was limited to the following PHI elements: Names, driver’s license numbers, Social Security numbers, medical information, and for a limited number of patients, credit card numbers. The investigation revealed the email account was compromised on May 27, 2018 and access remained possible until August 13, 2018. Patients impacted by the breach were sent breach notification letters on November 6, 2018 and have been offered complimentary credit monitoring and identity theft restoration services for 12 months. Information has also been provided on the steps that should take to reduce the risk of identity theft and fraud. The breach has prompted Southwest Washington Regional Surgery Center to enhance its email access protocols to prevent further successful phishing attacks, passwords were reset, and its password policy updated.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.