Newly revealed phishing attacks compromised ePHI of over 41,000 patients

• The two separate incidents on healthcare entities both occurred in 2018.
• The first attack carried out in April 2018 compromised 17,351 patients’ health data, while the second attack on November the same year exposed data of 23,811 patients.

A pair of isolated phishing attacks that occurred in 2018 has divulged sensitive information of over 41,000 patients. The attacks were carried out on two healthcare companies, Palmetto Health, and Women’s Health USA.

Both these firms have acknowledged the security incidents and have notified the affected patients. Palmetto Health was victim to an attack in November 2018 whereas Women’s Health USA was targeted in April 2018.

What information was exposed?

• Palmetto Health reported that the phishing incident had targeted only specific employee email accounts with the attackers intending to access payroll information. However, after an extensive investigation, the firm found that names and health information of a certain number of patients were exposed as a result. Furthermore, some emails even had Social Security numbers and medical insurance information.
• Women’s Health USA told that the phishing attack resulted in the compromise of two email accounts that contained several patient information. The information included patients’ dates of birth, Social Security numbers, Medicare Health Insurance Claim Numbers (HICNs), health insurance policy numbers, diagnoses, and treatment information.

What actions were taken?

Both firms said that the affected accounts respectively were secured after the attack was discovered. Palmetto Health is offering complimentary identity theft protection services to patients affected by the breach. On the other hand, Women’s Health USA has offered to provide free credit reports to the affected.