Survival Flight, an Arizona-based emergency medical transport company, recently announced that a cyberattack targeted its email systems, compromising 12,342 individuals’ personal data.
Survival Flight detected suspicious activity on several employee email accounts on May 22, 2024. After launching an investigation, the company confirmed that on August 19, 2024, an unauthorized individual accessed protected health information (PHI). The compromised data included individuals' names, Social Security numbers, financial details, medical information, and health insurance information.
Following the incident, Survival Flight conducted a comprehensive review to identify the impacted individuals. On October 18, 2024, the company publicly announced the breach via its website and sent notification letters to affected individuals.
Survival Flight’s breach notice states, “In response to this incident, we have partnered with forensic specialists to evaluate and reinforce existing security measures within our email environment and are reviewing our policies and procedures related to data security.”
The company also states that although they have “no evidence of actual or attempted fraudulent misuse of information as a result of this incident, individuals are nonetheless encouraged to monitor their account statements and explanation of benefits forms for suspicious activity and to detect errors.”
HIPAA mandates covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates implement technical safeguards to secure PHI.
HIPAA compliant email solutions, like Paubox, implement technical safeguards, including encryption and access controls, to protect PHI and prevent unauthorized access. Providers can also use its role-based access controls to reduce the probability of data breaches. These access controls can be regularly monitored and changed when employees change roles.
As a HIPAA-covered entity, Survival Flight must safeguard PHI. When an employee’s email credentials are compromised, it puts patient PHI at risk and exposes the organization to possible HIPAA violation fines, legal action, and reputation harm.
Healthcare providers must use a HIPAA compliant platform to reinforce email security. Additionally, they must improve employee training, and monitor their systems to prevent unauthorized PHI access and data breaches.
Related: HIPAA Compliant Email: The Definitive Guide
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.