PHI of 138k individuals Exposed in 3 Email Security Incidents

Personal Health Information (PHI) of a combined 138,000 individuals have been exposed in three separate data breaches at Injured Workers Pharmacy, iRise Florida Spine and Joint Institute and Volunteers of America Southwest California, writes HIPAA Journal.

• Read how and why you need to make your email comply with the HIPAA Security Rule.

Injured Workers Pharmacy Andover

Injured Workers Pharmacy, Andover, Massachusetts, reported a data breach they discovered on 11th May, 2021 after detecting some suspicious activity in one of their employee’s email accounts.

Third-party computer security and forensic experts were called on to investigate the data breach and discovered that, between 16th January and 12th May last year, 7 separate email accounts of Injured Workers Pharmacy employees have been compromised.

The data breach was reported to the Maine Attorney General.

The compromised email accounts contained Protected Health Information (PHI) of 75,771 individual, including their names, addresses and Social Security Numbers (SSN).

Following the review, Injured Workers Pharmacy validated the investigation’s results by 14th December, 2021 and sent notification letters to the affected persons about the data breach on 3rd February, 2022.

iRise Florida Spine and Joint Institute

In another data breach incident, an unauthorized person gained access to the email account of one iRise Florida Spine and Joint Institute employee which contained patient data of 61,595 individuals, including their PHI.

According to a review by forensic third-party experts, the hacker accessed the email account somewhere between 24th and 26th February last year.

iRise Florida and Spine Joint Institute completed a review of all their employee’s email accounts and attachments on 22nd November, 2021.

The attacker may have viewed or accessed the following sensitive data: patient names, birth dates, their diagnoses, information about hospital name and physician treating them, information about clinical treatment, health insurance info, date of service and in some cases also their driver’s license numbers, financial account information, SSNs, credit card information, as well as iRise login credentials.

iRise notified the affected persons and offered a 12-month credit monitoring service complimentary membership to those whose SSN has been exposed in this data security incident.

Volunteers of America Southwest California

Social service organization from San Diego, California, Volunteers of America Southwest California recently reported being a victim of a phishing attack after one of its employees received an email disguised as a voice message.

The email contained a link to a website that required login credentials to be entered in order to hear the voice message.

Once the employee entered those, the hacker was able to capture the credentials and access his email account on 16th November, 2021 when the data breach was also discovered.

Following a review of the email account, it was discovered that the names of 1,300 individuals as well as their Covid-19 vaccination statuses were exposed in the incident.

The breach was reported to the HHS’ Office for Civil Rights.

Need to analyze patient healthcare data without breaching their privacy? Find out in the linked article.