HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Email account breaches reported by 4 HIPAA-covered entities

Written by Tshedimoso Makhene | Oct 10, 2024 2:30:00 PM

Four healthcare organizations have recently reported email account breaches, leading to unauthorized access to sensitive patient data. The impacted entities include Southern Bone & Joint Specialists in Mississippi, Connally Memorial Medical Center in Texas, Michigan Masonic Home, and Rim Country Health and Rehabilitation in Arizona. 

 

What happened

Southern Bone & Joint Specialists detected unauthorized activity in employee email accounts on May 7, 2024, affecting the protected health information (PHI) of 7,162 patients. The compromised information included names, addresses, diagnosis codes, and insurance details. Similarly, Connally Memorial Medical Center discovered unauthorized access to an employee’s email, exposing data such as Social Security numbers and medical records of 1,228 individuals. Meanwhile, Michigan Masonic Home, a retirement village, reported a breach in an employee's email from May 28 to July 18, 2024, affecting over 500 individuals. Lastly, Rim Country Health and Rehabilitation in Arizona identified a hacking incident that exposed 721 patient record.

 

Going deeper 

The breaches at these healthcare organizations reveal a pattern of vulnerability in their email systems, with each incident involving unauthorized access to sensitive information over varying durations.

At Southern Bone & Joint Specialists, unauthorized access was identified on May 7, 2024. The breach exposed personal and medical information of 7,162 patients. The compromised data included basic identifiers such as names, addresses, and phone numbers and more sensitive information like diagnosis codes, insurance policy numbers, and CPT codes (used for billing medical procedures). Despite the breach, there have been no reports of identity theft or fraud at the time of notification. The organization promptly engaged a specialized cybersecurity firm to investigate the breach, leading to the confirmation that files and data in the email system had been accessed. In response, Southern Bone & Joint Specialists is offering credit monitoring services to affected individuals, underscoring the seriousness of the exposed data.

The breach at Connally Memorial Medical Center involved an employee’s email account, with unauthorized access confirmed on July 29, 2024. The organization’s breach notice, however, lacks specifics on the exact timeline of the breach, leaving ambiguity around how long the attackers had access. The compromised email account contained a limited amount of patient data, which varied among individuals. This information included sensitive identifiers such as Social Security numbers, medical diagnoses, and treatment information, making it a potentially serious breach despite the lack of evidence for misuse. The exposure of personal and medical information has prompted Connally Memorial to strengthen its network security measures, focusing on enhancing policies around data protection and cybersecurity practices.

Michigan Masonic Home, a retirement village, also fell victim to unauthorized access within a single employee’s email account. The breach went undetected for nearly two months, from May 28 to July 18, 2024. Although no definitive evidence of access to PHI was found, the organization cannot rule out the possibility that sensitive data, including Social Security numbers, driver’s license information, medical records, and even financial details, may have been viewed or acquired. This uncertainty, combined with the fact that Michigan Masonic Home caters to a vulnerable elderly population, raises significant concerns about the potential misuse of personal and medical information. The ongoing file review makes it unclear exactly how many individuals were impacted, but the breach has already been reported to the HHS as affecting at least 500 individuals.

Rim Country Health and Rehabilitation in Arizona experienced a more direct breach in which unauthorized access to patient information was confirmed after detecting hacking activity on July 16, 2024. The compromised data included patient names, contact information, and medical records for 721 patients. While the organization swiftly secured its systems and conducted an investigation, this breach illustrates the direct exposure of PHI to external actors, potentially leading to misuse of medical records. In response, Rim Country Health has bolstered its cybersecurity defenses and provided its employees with additional cybersecurity training to prevent future attacks.

In all these incidents, the breaches involved the compromise of employee email accounts, highlighting the ongoing challenge that healthcare organizations face in securing such communication channels. Email systems, often containing vast amounts of sensitive patient data, are frequent targets for cybercriminals due to weak authentication protocols, phishing attacks, and human error. These breaches stress the importance of email security as an important component of overall cybersecurity strategies in healthcare.

While none of the organizations have reported any direct misuse of the exposed data so far, the nature of the breaches, especially the exposure of medical records and financial details, means there is always a lingering risk of identity theft, fraud, and other malicious activities. The entities are not only enhancing security but also reviewing internal procedures for storing and accessing sensitive data to reduce the likelihood of future breaches. These actions, including increased cybersecurity training for employees and deploying more sophisticated monitoring systems, are aimed at minimizing the risks associated with future email compromises.

Go deeper: Why is email still the number one target of cybercriminals?

 

By the numbers

The number of individuals affected varies across the organizations:

  • Southern Bone & Joint Specialists: 7,162 patients
  • Connally Memorial Medical Center: 1,228 patients
  • Michigan Masonic Home: Over 500 patients (file review still ongoing)
  • Rim Country Health and Rehabilitation: 721 patients

See also: Top 10 healthcare data breaches so far in 2024

 

Why it matters 

The breaches reported expose critical vulnerabilities in email systems. Although no fraud has been detected yet, healthcare organizations must take proactive measures to strengthen their defenses. With patient data at risk, HIPAA-covered entities must prioritize cybersecurity to avoid future breaches and the potential harm they could cause.  

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is an email account breach in healthcare?

An email account breach occurs when unauthorized individuals gain access to a healthcare organization's email systems. This can result in the exposure of sensitive information, including patient records, personal identification, and medical data. These breaches are often caused by phishing attacks, weak passwords, or security vulnerabilities within the email system.

 

What kind of data is typically exposed in an email breach?

The data exposed in an email breach can vary, but typically includes:

  • Personal identification details (e.g., names, addresses, Social Security numbers)
  • Medical records (e.g., diagnoses, treatment information, lab results)
  • Insurance details (e.g., policy numbers, Medicare/Medicaid numbers)
  • Financial information (e.g., credit card details, bank account information)

 

What is the impact of an email breach on patients?

Patients affected by email breaches may face a range of risks, including:

  • Identity theft: Stolen personal information can be used to open fraudulent accounts or commit other forms of financial fraud.
  • Medical fraud: Cybercriminals may use exposed medical data to file false insurance claims or access healthcare services under someone else’s identity.
  • Privacy violations: Sensitive medical records being accessed by unauthorized parties can lead to violations of patient privacy