Familylinks breach connected to employee email account

Familylinks Inc., a nonprofit healthcare provider based in Pittsburgh, recently reported a data security incident that potentially exposed the personal and protected health information (PHI) of  3,775 individuals. The breach has now been linked to an employee’s email account

Discovery and investigation

According to their official statement, on May 3, 2024, Familylinks discovered suspicious activity in an employee's email account. The organization states that they promptly engaged independent cybersecurity experts and launched an investigation to determine the scope of the incident.

The investigation revealed that emails and attachments within the compromised account may have been accessed without authorization on the same day. Following a detailed data review, completed on October 3, 2024, Familylinks identified that certain individuals’ PHI and personal information were affected.

Information compromised

The potentially exposed data includes sensitive details such as:

• Names, Social Security numbers, and dates of birth.
• Driver’s license or state ID numbers.
• Federal ID numbers.
• Medical information, including diagnosis and treatment details.
• Health insurance policy numbers.

Although there is no evidence suggesting misuse of the data, the exposure of this information presents a risk of identity theft and other potential misuse.

Notification of affected individuals

According to their official press release on the incident, Familylinks took immediate action to notify individuals whose data may have been affected. On October 3, 2024, notification letters were sent via U.S. mail to those with verified addresses, with guidance on protecting their information and addressing concerns. A toll-free call center was also established to answer questions and assist individuals.

Guidance for affected individuals

Familylinks advises all affected individuals to take the following steps to protect their information:

1. Monitor financial accounts: Check for unauthorized transactions or accounts.
2. Request free credit reports: Obtain reports from all three major credit bureaus via AnnualCreditReport.com.
3. Place a fraud alert: Inform creditors to verify your identity before opening new accounts.
4. Consider a security freeze: Restrict access to your credit file to prevent unauthorized activity.

Additional resources on identity theft prevention are available through the Federal Trade Commission (FTC) at www.ftc.gov/idtheft.

How to prevent email-based breaches

• Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
• Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
• Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
• Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.

FAQs

What is the most common cause of email-related data breaches in healthcare?

Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.

Is HIPAA violated if only internal staff emails containing PHI are compromised?

Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.

What should be included in a healthcare organization’s incident response plan for email breaches?

An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.