Getty Images

Phishing Attack on Five Rivers Health Impacts Data of 156K Patients

Five Rivers Health Centers found a phishing attack led to a two-month long system hack last year; a systems hack, more phishing, and a vendor incident complete this week’s breach roundup.

Ohio-based Five Rivers Health Centers recently notified 155,748 patients that their personally identifiable and health information was breached after a two-month long email compromise last year, stemming from a phishing attack.

The impacted email accounts were subjected to unauthorized access from April 1, 2020 and June 2, 2020.

The notice does not explain when the unauthorized access was discovered, just that an extensive forensic investigation and manual document review concluded at the end of March 2021.

Under HIPAA, breaches impacting 500 or more patients are required to be reported to the Department of Health and Human Services within 60 days of discovery and without undue delay.

Upon discovery, officials said they secured the accounts and launched an investigation with assistance from an outside cybersecurity firm. The forensics review determined that the email accounts included personal and health information that varied by patient.

The impacted data could include patient names, contact details, dates of birth, medical record and patient account numbers, diagnoses, treatments and costs, clinical information, test or lab results and reports, provider names, dates of service, health insurance details, and other sensitive data.

For a limited number of patients, financial account numbers, payment cards, driver’s licenses, state identification numbers, and or Social Security numbers were also included in the compromised data. These patients will receive complimentary credit monitoring.

Five Rivers has since implemented two-factor authentication, reviewed and revised existing internal security policies and procedures, and provided its workforce with renewed cybersecurity training.

SEIU 775 Benefits Group Systems Hack, Data Destruction

Precisely 140,000 individuals who’ve used the services of SEIU 775 Benefits Group have been notified that their data was accessed and possibly deleted after a recent hack of the group’s data systems.

SEIU 775 Benefits Group provides employee benefit plans negotiated by SEIU 775, a labor union for long-term care workers in Washington and Montana.

Around April 4, the group’s IT team detected certain anomalies in its data systems, including what appeared to be potentially deleted data. An investigation led with support from third-party forensics and cybersecurity consultants determined the group's systems were hacked.

During that time, the attackers deleted some personally identifiable and protected health information of some individuals of the SEIU 775 Benefits Group. The data could include demographic details, contact information, SSNs, health plan eligibility, and enrollment details.

SEIU 775 Benefits Group secured the impacted systems and contacted law enforcement, engaging with legal counsel and notifying relevant authorities. Officials said they’re continuing to work with the outside security leaders to further bolster the systems’ security.

Lafourche Medical Group Phishing Incident

A phishing attack on a third-party accountant of Lafourche Medical Group resulted in the compromise of patient information and its cloud-based Microsoft 365 email system. The HHS breach reporting tool shows 34,862 patients were affected by the incident.

Lafourche Medical Group owns and operates urgent care centers in Raceland and Destrehan, Louisiana, including Lafourche Urgent Care and St. Charles Urgent Care.

On March 30, Lafourche Medical Group discovered that attackers were sending emails to its accountant, impersonating the owners of Lafourche Medical Group. The phishing attack targeted its outside accountant.

The investigation that followed determined its email system had been compromised. Officials stressed that its EMR and on-premise systems were not affected by the incident.

However, a forensics review confirmed that patient information was contained in the impacted accounts, but the investigators could not identify all the potentially impacted patient information contained in the system.

As such, officials are notifying all patients of the types of data possibly contained in the email system, such as names, contact information, dates of birth, medical record numbers, insurance or health plan beneficiary number, guarantor names, diagnoses, provider names, and lab results.

An IT consulting firm has been working with Lafourche Medical to reassess its computer systems and security measures, including recommending additional best practices for its IT security.

Lafourche Medical has since strengthened its firewall, increased email security measures, bolstered the sensitivity of spam and malware filters, implemented stricter password policies, and enabled multi-factor authentication for mobile access.

Officials said they’ve also improved its business associate vetting process and retrained the workforce on cybersecurity, including social engineering and phishing attacks.

BlueCross BlueShield of Kansas City’s Vendor Incident

A third-party vendor incident led to the compromise of protected health information belonging to 47,035 BlueCross BlueShield of Kansas City (Blue KC) members. LogicGate is a vendor of software hosting services and also reported the breach to HHS.

According to the notice, the incident stemmed from a hack on its backup environment. Upon discovery, the access was terminated and law enforcement was notified, while the security team launched a forensic review to assess the scope of the incident.

The review found the data belonging to Blue KC was potentially accessed on February 23, 2021. The health plan was notified by LogicGate on April 7.

The compromised data include patient names, dates of birth, contact details, SSNs, insurance information, such as group and member identification numbers, and or medical information, like dates of service, treatments, and prescriptions.

All members will receive two years of identity theft protection services.

LogicGate is working with Blue KC to improve the protection of plan members’ data and has since implemented increased security measures for data maintained in its software programs. The vendor also had its system security verified by a third-party auditor.

Next Steps

Dig Deeper on Healthcare data breaches