Getty Images

Phishing Attacks, Email Security Incidents Hit 3 Healthcare Orgs

A phishing attack against the West Virginia medical center potentially exposed PHI, and a separate email security breach impacted 28K at a Minnesota mental health center.

Three healthcare organizations recently began notifying patients of separate email security incidents that potentially exposed protected health information (PHI).

Charleston Area Medical Center Phishing Attack Impacts 54K

A phishing attack against Charleston Area Medical Center (CAMC) impacted 54,000 individuals.

On January 10 and 11, an unauthorized actor gained access to some CAMC employee email accounts via a phishing scam. In a notice on its website, CAMC said it took steps to terminate access and secure the accounts as soon as possible.

“Based on the available forensic evidence, we believe that the unauthorized individual was interested in collecting login information for CAMC employee accounts rather than accessing individuals’ personal information,” the notice stated.

Nonetheless, the impacted accounts contained patient names, medical record numbers, test results, and other treatment information. The Social Security numbers of 0.001 percent of the victims were impacted, CAMC said.

“We have enhanced our technical security measures to prevent the occurrence of a similar event in the future,” the notice continued.

“We also routinely train our employees on data privacy and cybersecurity issues, and will be conducting additional training related to this incident.”

CAMC encouraged potential victims to remain vigilant against identity theft and fraud.

MN Mental Health Center Breach Impacts 28K

An IT incident at Central Minnesota Mental Health Center (CMMHC) potentially exposed the information of 28,725 individuals. A notice on the center’s website said that the organization first discovered “malicious activity” on October 21, 2021.

In light of the discovery, CMMHC secured its email accounts and engaged a team of third-party forensic investigators.

“On or around November 23, 2021, the third-party forensic investigator confirmed that multiple email accounts had been synced, and thus were considered compromised,” the notice explained.

“The investigation revealed that the IT incident began on September 20, 2021 and continued until the environment was secured by the Company on October 29, 2021.”

By February 2022, investigators determined that some personal information was involved in the breach, including addresses, clinical information, treatment locations, doctor’s names, patient account numbers, and treatment information. Some Social Security numbers, financial account information, and driver’s license numbers were impacted.

“We take the security of sensitive information very seriously. Upon discovery of this incident, company immediately secured our systems and took steps to prevent further unauthorized access,” the notice stated.

“The problem has been remediated and our IT systems are operating securely. In addition to conducting a thorough investigation into the incident with the help of a qualified third-party IT forensic investigator, we implemented additional safeguards and security measures to enhance the privacy and security of information in our systems.”

Christie Clinic Suffers Email Security Incident

Illinois-based Christie Clinic issued a notice about a recent email security incident that potentially exposed certain patient information.

Between July 14 to August 19, 2021, an unauthorized actor maintained access to one email account “to intercept a business transaction between Christie Clinic and a third party vendor.”

By March 2022, Christie Clinic determined what information the unauthorized actor may have had access to. The information potentially included names, Social Security numbers, medical information, health insurance information, and addresses.

“Based on the nature of access to the single user’s email account, Christie Clinic and our professional forensic investigators have concluded that the extent of the access is unknown and cannot be determined,” the notice stated. 

“Out of caution, we are sending notice to all individuals.”

The clinic said that there was no evidence of data misuse due to the incident. Christie Clinic also noted that it has since implemented additional safeguards to protect patient data.

Next Steps

Dig Deeper on Healthcare data breaches