1 min read

Option Care Health announces data breach

Option Care Health announces data breach

Option Care Health, a provider of home and alternate site infusion therapy, recently reported a data security incident that compromised the protected health information (PHI) of 2,897 individuals.

 

What happened

Option Care Health (OCH) discovered a data breach on November 15, 2024, caused by unauthorized access to an employee’s email account. The breach was traced back to July 31, 2024, when an unauthorized party accessed the account, potentially exposing sensitive consumer data, including PHI. OCH conducted a thorough investigation and confirmed that the unauthorized party had access to certain individuals’ PHI.

 

Nature of the breach

While the full scope of the breach is still under investigation, the fraudulent activities reported include:

  • Fake emails and text messages that appear to originate from Option Care Health.
  • Phishing websites using domain names similar to optioncarehealth.com (e.g., "0ptioncarehealth[.]com").
  • Scam phone calls impersonating representatives of the organization.

These tactics aim to deceive recipients into sharing sensitive personal information or accessing malicious websites.

Related: Tips to spot phishing emails disguised as healthcare communication

 

Notification and assistance

Option Care Health has alerted its patients, partners, and customers about these scams. The organization encourages individuals to stay vigilant and has established a dedicated fraud reporting email and phone line for those who suspect fraudulent activity:

  • Email: websitefraud@optioncare.com
  • Phone: 844-624-4584

How to prevent email-based breaches

  • Phishing prevention training: Regularly educate staff on recognizing phishing attempts and other suspicious email activity.
  • Multi-factor authentication (MFA): Enforce MFA for all employees for an additional layer of security to email accounts.
  • Encryption and secure email platforms: Use encrypted email systems like Paubox to protect sensitive data and ensure that PHI is only shared over secure channels.
  • Email monitoring and alerts: Set up automated alerts for suspicious activity, such as failed login attempts or emails from unknown sources.

 

FAQs

What is the most common cause of email-related data breaches in healthcare?

Phishing attacks are the most common cause, where attackers trick employees into sharing login credentials or clicking malicious links, granting unauthorized access to email accounts.

 

Is HIPAA violated if only internal staff emails containing PHI are compromised?

Yes, if PHI is exposed through compromised internal emails, it still constitutes a HIPAA violation, as unauthorized access to protected information breaches privacy regulations.

 

What should be included in a healthcare organization’s incident response plan for email breaches?

An incident response plan should include steps for isolating affected accounts, notifying impacted individuals, conducting a root cause analysis, and reporting to regulatory authorities if required.