Two Healthcare Orgs Suffer Email Data Breaches, ECL Breach Tally Rises

June 30, 2022 - Two healthcare organizations reported email data breaches recently, involving unauthorized access to one or more employee email accounts. In addition, the Eye Care Leaders (ECL) breach tally continues to rise as more organizations report the incident to HHS.

Covenant Care California Suffers Email Breach

Covenant Care California, a company that runs multiple skilled nursing care facilities throughout Nevada and California, disclosed an email security incident that it discovered in February 2022.

After discovering suspicious activity on an employee email account on February 24, Covenant Care later determined that an unauthorized actor had gained access to employee email accounts at various times between February 24 and May 3.

Covenant Care said its investigation into the incident is still ongoing, and it is unclear at the time of publication how many individuals were impacted. The data contained in the email accounts mainly included health insurance and medical information, along with select birthdates, driver’s license numbers, and Social Security numbers.

“Information security is one of Covenant Care’s highest priorities, and it has strict security measures in place to protect information,” the notice stated.

“Covenant Care is currently reviewing technical, administrative, and physical safeguards to identify and implement any potential enhancements to its security measures, including installation of additional technical safeguards to email systems.”

93K Added to Eye Care Leaders Breach Tally

As previously reported, Eye Care Leaders (ECL), which offers an ophthalmology-specific EMR solution, experienced unauthorized access to its myCare Integrity system in December 2021.

Since ECL began notifying impacted organizations of the breach, organizations have been steadily contributing reports to HHS’ Office for Civil Rights (OCR) data breach portal.

The total breach tally has surpassed 2 million individuals and the incident has since become the largest-reported healthcare data breach of 2022 so far.

Cherry Creek Eye Physicians and Surgeons recently reported that the ECL breach impacted 17,732 individuals at its practice. In addition, Kansas-based Sharper Vision reported the breach impacting 6,891 individuals, and 68,739 individuals at Carolina Eyecare Physicians were also impacted.

Sharper Vision noted that it had to revert to paper records when it discovered that it was unable to access the EMR system in December. EMR functionality was restored the following week, the notice explained.

Bergen’s Promise Falls Victim to Email Security Incident

Bergen’s Promise, a New Jersey-based care management organization that provides services for children living with behavioral, mental health, and substance abuse issues, disclosed a data breach to HHS that impacted 6,948 individuals. However, according to a breach notification entry listed on the Maine Attorney General’s website, the breach impacted 7,513 individuals.

A notice sent to impacted individuals explained that Bergen’s Promise discovered suspicious activity on an employee email account on November 15, 2021. Further investigation revealed that an unauthorized party gained access to six employee email accounts between November 15 and 18.

Bergen’s Promise completed its internal review on March 29 and notified impacted individuals on June 1, months after the initial discovery. The organization said it had no reason to believe that any information was misused.

“In response to this incident, we changed email account passwords, enhanced security protocols, and we continue our ongoing review and assessment of our policies and procedures related to data protection,” the notice stated.