Hacked email accounts leads to potential breach in Des Moines

Primary Health Care in Des Moines, Iowa, recently discovered that the email accounts of four employees were accessed without authorization, as well as related Google drives handing cloud storage and file backups.

The not-for-profit community health center now is offering affected patients one year of identity protection services from AllClear ID.

The organization said it discovered the breach on March 1, and believes that patient information was only accessible for a day, because the email accounts were compromised on February 28. The number of individuals who may be affected has not yet been posted on the Office for Civil Rights data breach website, but the organization in 2016 served nearly 37,000 patients.

Primary Health Care contracted with a forensic investigator to confirm the scope of the breach, but was unable to determine which emails in the accounts, if any, were subject to access.

Primary Health Care-CROP.jpg

Also See: Mishandled emails cause breach at Kansas disability agency

The types of data potentially compromised were extensive and included patient names, phone numbers, Social Security numbers, financial account numbers, driver’s license numbers, credit and debit card numbers, dates of service, diagnoses and treatment, medical history, facility and provider, insurance information, payer information and Medicaid identification number.

The organization has not yet found any evidence of misuse of patient information and is urging affected patients to review their credit card and bank account statements, explanation of benefits forms and credit card reports for suspicious activity.

In response to inquiries about the data exposure, Primary Health Care declined to provide additional information about the incident.

For reprint and licensing requests for this article, click here.