MA Pharmacy Falls Victim to Email Phishing Attack, Results in PHI Exposure

March 21, 2023 - After an email phishing attack, AllCare Plus Pharmacy reported to the Maine Attorney General that 5,971 patients potentially had their protected health information (PHI) exposed.

AllCare became aware of several phishing emails circulating to certain employees on June 21, 2022. Upon discovery, the organization removed the phishing emails from the system and hired experts to investigate suspicious activity.

Later, AllCare confirmed that the data breach occurring on April 14, 2022, involved an unauthorized party accessing certain parts of several employee emails. Although the organization said it has no evidence of patient data misuse, impacted information may have included names, addresses, date of birth, Social Security numbers, and certain health information.

“Please note that there is no evidence of any continuing unauthorized activity,” the notice explained. “Additionally, AllCare has not uncovered evidence that any personal information has been used for fraudulent or illicit purposes or has been made publicly available and continues to monitor the situation.”

In response to the recent data breach, AllCare is implementing “additional security measures, internal controls, and safeguards.”

Furthermore, the organization offers impacted individuals 24 months of protection from identity theft.

NorthStar Emergency Medical Services Data Breach Impacts 80K

NorthStar Emergency Medical Services informed 82,450 individuals that their PHI was potentially involved in a recent data breach. According to its website, NorthStar Emergency Medical Services is an advanced life support ambulance service.

Upon noticing unusual activity within its digital environment on September 16, 2022, NorthStar Emergency Medical Services secured its environment and engaged a third-party expert to launch an investigation.

By March 8, 2023, NorthStar determined an unauthorized actor accessed certain PHI, including names, social security numbers, dates of birth, patient ID number, treatment information, Medicare number, or health insurance information.

“To help prevent something like this from happening again, NorthStar is implementing additional security measures. It is also offering complimentary credit and identity protection monitoring to those individuals whose Social Security numbers may have been affected by the incident.”

Denver Public Issues Data Breach Notification Two Months Later

Denver Public School notified the US Department of Health and Human Services (HHS) of a potential data breach that may have exposed the PHI of 35,068 individuals. The unauthorized access was discovered on January 4, 2023, but the organization did not provide the data breach notification until March 3, 2023, cutting it close to the HHS breach notification reporting requirements of 60 days.

Upon the unusual discovery, the organization said it embarked on an extensive investigation to determine the nature and scope of the event. 

The investigation concluded that an authorized party accessed certain files between December 13, 2022, and January 13, 2023.

“Our review of these files identified the following: names and Social Security numbers of current and former participants in DPS’s employer-sponsored health plan; employee fingerprints, if on file; bank account numbers or pay card numbers; student identification numbers; driver’s license numbers; passport numbers; and limited health plan enrollment information maintained for human resources purposes,” the notice stated.

“We are mailing letters to affected individuals and offering complimentary credit monitoring and identity theft protection services to affected individuals.”