Recent email security breaches at two major healthcare organizations, Children’s Health Care in Minnesota and the Los Angeles County Department of Mental Health, have exposed numerous individuals' protected health information (PHI).
Children's Health Care, Minnesota
Children's Health Care, a renowned children's hospital in Minneapolis, Minnesota, had an email security incident that came to light on March 13, 2024. Suspicious activity was detected within the hospital's email system, and a subsequent forensic investigation confirmed that two employee email accounts had been subjected to unauthorized access between February 29, 2024, and March 25, 2024.
The investigation revealed that patient information related to the hospital's surgical services department was stored in the affected email accounts. This included sensitive data such as patients' names, addresses, dates of birth, insurance carrier names, medical record numbers, provider names, treatment cost information, and limited treatment details. Fortunately, the compromised accounts did not contain any financial account information, credit card data, or Social Security numbers.
Children's Health Care promptly reported the breach to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), indicating that the incident had affected 7,260 patients. The hospital is now in the process of notifying these individuals by mail in the coming weeks.
To address the situation, Children's Health Care has been proactive in providing cybersecurity and privacy training to its workforce. Additionally, the organization is committed to implementing further safeguards to enhance the security of its email systems and better protect against future breaches.
LA County Department of Mental Health
In a separate incident, the Los Angeles County Department of Mental Health fell victim to a phishing attack that resulted in unauthorized access to an employee's email account and the exposure of protected health information (PHI) for 1,598 patients.
The attack occurred on March 20, 2024, when a compromised email account at an unnamed external entity was used to send a phishing email to an employee of the Department of Mental Health. The employee, believing the email to be genuine, disclosed their account credentials, allowing the attacker to gain access to the sensitive information stored in the account.
The review of the affected account confirmed that the compromised data included patients' names, addresses, telephone numbers, dates of birth, medical record numbers, and Social Security numbers.
After disabling the affected accounts and resetting the Office 365 and multifactor authentication credentials, the Department of Mental Health reviewed and updated its security policies, procedures, and controls. The organization also notified Microsoft about the vulnerability exploited in the attack and implemented additional safeguards to better protect against similar incidents in the future.
The review process was completed on May 16, 2024, and individual notifications were mailed to the affected patients on May 20, 2024.
Why it matters
The recent email security breaches at Children’s Health Care in Minnesota and the Los Angeles County Department of Mental Health have implications for the security and privacy of patient data within healthcare institutions. These incidents show the vulnerability of sensitive medical and personal information transmitted via email, calling for the urgent implementation of enhanced safeguards and security protocols to protect patient confidentiality and mitigate the risk of future breaches. Healthcare institutions must prioritize cybersecurity training for their workforce and invest in advanced email security solutions to prevent similar incidents and safeguard the privacy and integrity of patient data.
Farah Amod
