Alive Hospice’s email accounts phished multiple times, PHI accessed
Alive Hospice, with three campuses in Tennessee, suffered three email phishing attacks between December 2017 and May, and the organization now is notifying an undisclosed number of affected individuals.
In December an employee’s email account was accessed; however, the investigation found no unauthorized access to personal information. The employee’s email password was changed, but in April, the same employee’s email account information was gained through a phishing attack. The organization said it then changed that employee’s access to the system.
Finally, in mid-May, a review of the email system found ongoing unauthorized activity in the employee’s email account that may have compromised patients’ personal information.
A new investigation, assisted by forensic specialists, found unauthorized access to two Alive Hospice employee email accounts, and it indicated that a considerable amount of protected health information may have been compromised.
Patient information potentially at risk includes patient names, dates of birth, Social Security numbers, passport numbers, driver’s license or state identification numbers, birth or marriage certificates, financial account numbers, medical history, treatments and prescriptions, username/email/password data, biometric identifiers, IRS pin numbers, digital signatures, and security questions and answers.
In a notice on the incident, Alive Hospice executives said there is no evidence any information has been subject to actual or attempted misuse. “While Alive Hospice already has stringent security measures in place to protect information in its systems, Alive Hospice also is implementing additional safeguards to protect the security of information,” the notice indicated. The hospice is offering affected individuals one year of identity protection services from ID Experts.
Alive Hospice issued a statement to Health Data Management of additional steps being taken such as providing guidance to affected individuals on how to protect against identity theft and fraud. “While we have security measures in place to protect information in our system, we also have implemented new safeguards to protect the security of our patients’ information.”