HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Survival Flight email breach exposes 12,342 individuals

Written by Caitlin Anthoney | Oct 29, 2024 1:01:22 AM

Survival Flight, an Arizona-based emergency medical transport company, recently announced that a cyberattack targeted its email systems, compromising 12,342 individuals’ personal data.

 

What happened  

Survival Flight detected suspicious activity on several employee email accounts on May 22, 2024. After launching an investigation, the company confirmed that on August 19, 2024, an unauthorized individual accessed protected health information (PHI). The compromised data included individuals' names, Social Security numbers, financial details, medical information, and health insurance information. 

Following the incident, Survival Flight conducted a comprehensive review to identify the impacted individuals. On October 18, 2024, the company publicly announced the breach via its website and sent notification letters to affected individuals.

 

What was said  

Survival Flight’s breach notice states,In response to this incident, we have partnered with forensic specialists to evaluate and reinforce existing security measures within our email environment and are reviewing our policies and procedures related to data security.”

The company also states that although they haveno evidence of actual or attempted fraudulent misuse of information as a result of this incident, individuals are nonetheless encouraged to monitor their account statements and explanation of benefits forms for suspicious activity and to detect errors.”

 

In the know

HIPAA mandates covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates implement technical safeguards to secure PHI. 

HIPAA compliant email solutions, like Paubox, implement technical safeguards, including encryption and access controls, to protect PHI and prevent unauthorized access. Providers can also use its role-based access controls to reduce the probability of data breaches. These access controls can be regularly monitored and changed when employees change roles.

 

Why it matters  

As a HIPAA-covered entity, Survival Flight must safeguard PHI. When an employee’s email credentials are compromised, it puts patient PHI at risk and exposes the organization to possible HIPAA violation fines, legal action, and reputation harm.

 

The bottom line  

Healthcare providers must use a HIPAA compliant platform to reinforce email security. Additionally, they must improve employee training, and monitor their systems to prevent unauthorized PHI access and data breaches.

Related: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is a data breach?

A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.

See also: How to respond to a data breach

 

What should individuals do if their data has been compromised?

If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.

 

Are there any costs associated with placing a fraud alert or credit freeze?

No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.