Getty Images
Highmark Health Suffers Phishing Attack, 300K Individuals Impacted
Highmark Health notified 300,000 individuals of a phishing attack that potentially compromised protected health information.
Highmark Health suffered a phishing attack that impacted 300,000 individuals, a notice provided to the Maine Attorney General’s Office stated. Highmark Health is the second largest integrated delivery and financing system in the US.
On December 15, Highmark discovered that one of its employees was sent a malicious link that led to their email account being compromised for two days. The threat actor potentially accessed emails containing protected health information (PHI).
The information contained in the email account included names, enrollment information, prescription and treatment information, financial information, addresses, and phone numbers.
“Consistent with corporate policies and procedures, Highmark has taken internal actions to safeguard your protected health information,” Highmark Health noted.
“The mailbox was immediately shut down, network blocking was implemented, passwords were reset, and the enterprise will continue to enhance email security controls. Additional training and education has been provided to employees in regard to the Cyber Security Incident to make them aware and help prevent future Cyber/Phishing attempts in the future.”
The organization offered impacted individuals 24 months of Experian identity theft monitoring services.
Southeast Colorado Hospital District Experiences Breach
Southeast Colorado Hospital District (SECHD) discovered suspicious activity within an employee email account on December 6, 2022. Further investigation determined that an unauthorized party had accessed the employee’s email account between November 23 and December 5.
The account contained names, driver’s license numbers, Social Security numbers, treatment information, dates of birth, and health insurance information.
SECHD began notifying impacted individuals of the incident on February 3 and offered them complimentary identity theft protection services.
“SECHD takes its responsibility to safeguard personal information seriously and apologizes for any inconvenience this incident might cause,” a notice to patients stated. “SECHD is enhancing its technical security measures to help prevent an incident like this from happening again.”
Alabama Health System Discovers Breach During Routine Privacy Audit
Alabama-based DCH Health System notified 2,530 individuals of a data breach that was discovered during a routine privacy audit in December 2022.
On December 9, DCH Health System discovered that one of its employees had accessed the electronic medical records of multiple patients without a business need to do so between September 2021 and December 2022.
The employee potentially viewed patient names, dates of birth, addresses, diagnoses, vital signs, test results, Social Security numbers, and provider notes.
DCH terminated the employee and worked with a data breach recovery expert to fulfill notification requirements.
“DCH continues to provide ongoing mandatory HIPAA/privacy training to its workforce members regarding appropriate access, use and disclosure of protected health information,” the notice stated. “DCH will also use this incident to improve our privacy monitoring tools and processes.”