Hartford Healthcare and Saint Francis Ministries Suffer Phishing Attacks

The Saint Francis Ministries health system has revealed that the email account of one of its staff members was accessed by an unauthorized person, who may have taken patient information.

The breach was discovered on December 19, 2019 when suspicious activity was spotted in an employee’s email account. A third-party computer forensics firm was engaged to investigate the breach and ruled on February 12, 2020 that the account was subjected to unauthorized access at some point between December 13, 2020 and December 20, 2019. It was not possible to tell if the attacker accessed emails including patient data or downloaded any email data, but no reports have been submitted to suggest any patient information has been improperly used.

A review of the impacted accounts was finished on March 24, 2020 which revealed that the following data was potentially impacted: Name, date of birth, Social Security number, driver’s license number, state ID number, bank/financial account number, credit or debit card number, diagnosis, treatment information, prescription information, provider name, medical record number, Medicare/Medicaid details, health insurance information, treatment cost information, and login name and password.

Saint Francis Ministries started issuing notification letters to affected people on April 12. Free credit monitoring and identity theft protection services have been provided to impacted patients and steps are being taken to enhance email security to prevent similar breaches in the future.

Meanwhile, Hartford Healthcare revealed on April 13, 2020 that it has been the victim of a phishing campaign. The attack was identified on February 13, 2020 when unusual activity was spotted in the email accounts of two staff members.

With the help of a third-party computer forensics group, Hartford Healthcare determined that the hackers accessed the email accounts between February 13 and February 14, 2020.

At least one of the email accounts was found to include the protected health information of some specific patients, such as names, medical record numbers, health insurance data, and other health-related data. The email accounts also contained the Social Security numbers of 23 clients.

Hartford Healthcare revealed that 2,651 patients have been impacted and are now being made aware of this. The 23 individuals whose Social Security number was possibly stolen have been offered free credit monitoring and identity theft protection services for 24 months.

HIPAA Violation Penalties

Most Common HIPAA Violations Causes