Healthcare Information Security

Patient Privacy News

PHI Compromised in Email Phishing Scam

By Elizabeth Snell

- No healthcare organization, whether a provider or insurer, wants to have PHI compromised. However, even with the necessary security measures in place and thorough employee training programs, incidents can still occur. That is the case at an Indiana provider, where it was recently announced that an email phishing scam led to PHI being compromised.


St. Vincent Medical Group, Inc. said in a statement on its website that approximately 760 patients potentially had their PHI exposed after an employee’s username and password was compromised because of an email phishing scam. St. Vincent learned about the incident on Dec. 3, 2014, and said that it “immediately shut down the username and password of the impacted account and launched an investigation into the matter.”

“The investigation has required electronic and manual review of affected emails to determine the scope of the incident,” the statement read.

Information that was potentially compromised includes patient names, demographic information such as dates of birth and phone numbers, account numbers, and Social Security numbers in a few cases. Limited clinical information related to services patients received was also included. However, St. Vincent said that individual medical records and billing records were not accessed.

“St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that the faith-based organization is taking appropriate measures to avoid an incident of this nature happening in the future,” the facility said.

Complimentary identity monitoring and protection services will be offered to patients whose Social Security number was exposed, St. Vincent explained, and it will also be providing further employee education on how to avoid phishing scams. Moreover, the organization said its working with its email service provider “to evaluate ways to enhance its already robust security program.”

Unfortunately, this is not the first healthcare data security issue that St. Vincent has encountered. Last July, the facility reported that the St. Vincent Breast Center mistakenly sent letters with patient information to the wrong addresses. In that incident, 63,000 patients potentially had their information exposed.

As previously reported, the hospital sent out letters to patients on May 5 and started to hear from patients on May 15 that they were in fact receiving the wrong letters. The letters contained patient names, addresses, and some scheduled appointments. However, St. Vincent said that financial data and Social Security numbers were not included in the mailings.

“Please be assured that the Center is taking steps to mitigate this incident by notifying affected individuals through this substitute notice, media notice, and destroying all letters that have been returned,” St. Vincent said on its website. “The Center is also evaluating and making changes to its patient mailing processes internally and with external vendors to avoid an incident of this nature in the future.”

The hospital explained that it destroyed letters that patients had sent back, but it was unknown at the time how many letters remained in the wrong hands.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks