Healthcare Information Security

Patient Privacy News

Phishing Scam Leads to Potential PHI Exposure

By Elizabeth Snell

- Employees at Children’s National Health System (Children’s National) allegedly fell victim to phishing scams toward the end of last year, which led to potential PHI exposure for some patients. Children’s National explained in a company statement that hackers could have gained access to PHI that was in the employees’ email accounts.


The facility realized the issue on Dec. 26, 2014, but the unauthorized access may have taken place from July 26, 2014 to Dec. 26, 2014. The information that may have been exposed includes names, addresses, dates of birth, and telephone numbers. Moreover, clinical information such as diagnoses, treatment received, medical record numbers, medical service codes or health insurance information, were also potentially accessed. Social Security numbers were also included in a few instances, the company said.

“We reported the phishing attack to federal law enforcement and continue to work with them in their investigation,” the statement read. “Importantly, neither patient charts nor our electronic medical records system were compromised. Only the discrete information contained in the email accounts was potentially affected.”

The facility added that patient charts and patient electronic medical records were not compromised. Only “discrete information contained in the email accounts” was possibly affected.

There is no evidence showing that the information contained in the employee emails has been used maliciously, according to Children’s National. However, the company added that it is reinforcing its staff training over how to handle suspicious emails. The facility’s existing technical safeguards have also been enhanced, and a review of Children’s National systems are currently underway to “further protect patient information.”

The notice did not specify how many patients were potentially affected, just that those individuals will receive notification letters in the mail. A call center has been created, and individuals who think they may be affected but did not receive a letter by March 15 can also reach out to Children’s National.

Scam email campaigns are a common way for cyber attackers to attempt to gain access to sensitive information. Last month, Anthem, Inc. warned its patients about potential phishing campaigns following its announcement of a large scale health data breach.

Anthem warned consumers against clicking on any links in suspicious emails, replying to the emails, giving any information to a website connected to the email links, and against opening any attachments with the emails. The organization suffered a data breach that potentially exposed the personally identifiable information of close to 80 million individuals. However, if an individual was potentially impacted by the breach, he or she would receive a letter in the mail, Anthem said. The company explained that it would not be sending emails or calling consumers on the phone.



SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks