Health Quest, which is now an entity of Nuvance Health, has discovered the phishing attack impacted its systems during July 2018 was more extensive than at first thought.
Many Staff members employees were tricked into sharing closing their email info by phishing emails, which allowed unauthorized individuals to access their accounts. A leading cybersecurity firm was engaged to assist with the investigation and determine whether any patient information had been impacted.
In May 2019, Quest Health became aware that the protected health information of 28,910 patients was included in emails and attachments in the affected accounts and notification letters were issued to those individuals. The impacted accounts included patient names, contact data, claims information, and some healthcare information.
A subsequent investigation of the breach showed on October 25, 2019 that another employee’s email account was impacted which included protected health information. According to the substitute breach notification posted on the Quest Health website, the compromised information was different from patient to patient, but may have included one or more of the following data elements in along with names:
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Medicare Health Insurance Claim Numbers (HICNs)
- Provider name(s)
- Dates of treatment
- Treatment and diagnosis information
- Health insurance plan member and group numbers
- Health insurance claims information
- Financial account information with PIN/security code
- Payment card information.
No proof of unauthorized viewing of patient data was found and no reports have been received to indicate any patient information was improperly used. Out of an abundance of caution additional letters were sent to patients on January 10, 2020.
Quest Health is now implementing multi-factor authentication on its email accounts and has bolstered security processes and provided more training to its HQ employees on phishing and other cybersecurity problems.
It is currently not known how many extra patients have been impacted. At the time of publishing, the breach report on the HHS’ Office for Civil Rights breach portal still states 28,910 individuals were affected.