- California-based Gold Coast Health Plan (GCHP) reported to OCR Oct. 5 that a phishing attack exposed PHI on 37,005 individuals.
In a Oct. 8 news release, GCHP said that attackers compromised an employee’s email account, permitting them to gain access to emails sent to the account between June 18 and August 1.
Information that may have been compromised included names, dates of birth, medical procedure codes, health plan identification numbers, and dates of medical service. GCHP stressed that no Social Security numbers or financial information was disclosed.
GCHP said it disabled the compromised account, required a password change, and maintained heightened monitoring of any suspicious activity. It also notified law enforcement and hired a cybersecurity firm to investigate the breach.
“According to computer forensics experts and law enforcement, these types of attacks are usually financially motivated. Based on our investigation, we believe the perpetrators of the attack were trying to fraudulently transfer GCHP funds to their account,” the release said.
GCHP is providing free identity theft protection services to those affected by the breach. It also implementing enhanced security measures to improve IT security and expanding employee IT security awareness training with a focus on phishing campaigns.
Minnesota DHS Says Phishing Attack Exposed PHI on 21K People
The Minnesota Department of Human Services (DHS) reported to OCR Oct. 9 that a phishing attack exposed PHI on 20,800 individuals.
In a notice on its website, DHS said that hackers succeeded in accessing email accounts of two employees through successful phishing campaigns in late June and early July. The attackers used the accounts to send out spam emails.
Information that may have been compromised included names, dates of births, Social Security numbers, addresses, telephone numbers, medical information, educational records, employment information, and financial information.
Minnesota IT Services secured the two email accounts, stopped the spread of the phishing emails, and investigated the incidents. DHS reported the incidents to OCR and the Minnesota Office of the Legislative Auditor.
DHS said it is taking the following steps to improve data security: “We teach DHS employees about email best practices and how to respond to data security incidents. We use the technology at our disposal to its fullest potential to prevent and mitigate data security incidents and push for security technology upgrades. We update relevant policies and procedures.”
Reichert Prosthetics Reports Unencrypted Drive Theft from IT Contractor
Wisconsin-based Reichert Prosthetics & Orthotics reported to OCR Sept. 28 the theft of a portable electronic device that exposed PHI on 3,380 individuals.
A hard drive containing a backup of the provider’s server was removed without authorization by an IT contractor’s employee. It was then stolen from the employee’s home on July 31, according to a report by the Kenosha News.
The provider, which has locations in Racine and Kenosha, Wisconsin, as well as Waukegan, Illinois, learned of the theft Aug. 1.
Information that may have been compromised included full names, Social Security numbers, dates of birth, home addresses, treatment photos, insurance account information, and treatment notes. In addition, some clients who used credit cards to pay for services may have been exposed as well.
The provider hired a third-party forensic consultant to investigate the incident and reported the hard drive theft to law enforcement.
There is “no evidence of any identity theft, misuse or fraud of individuals’ personal information arising from the incident,” the provider said in statement quoted by the Kenosha News.
Reichert said it is offering free credit monitoring services. It also requiring all third-party consultants to encrypt any removable devices that hold PHI before leaving the premises.