Phishing attack nabs hospital employees’ W-2 info
Citizens Memorial Hospital is offering two years of identity protection services after an employee fell for a phishing email scam and released all 2016 W-2 tax form information on current and former employees to a hacker.
The attack occurred on February 8, and the 86-bed hospital in Bolivar, Mo., learned of the breach the following day.
“The information was sent by an employee who believed the phishing email scam was a legitimate internal hospital request,” the hospital states in a notification to media. “When we learned of the incident, we notified the FBI, the IRS and state taxing authorities.”
Citizens Memorial is not notifying the HHS Office for Civil Rights about the incident because W-2 forms are not protected health information under the HIPAA breach notification rule, a spokesperson said in an interview.
The hospital has paid for affected individuals to receive the ProtectMyID program from Experian. The suite of services includes text/email alert notifications that an unauthorized person may be using your personal information, credit and identity theft monitoring, scanning illicit sites were personal data is being traded, monitoring fraudulent changes of address requests at post offices and notification when an individual’s identity is free of illicit activity.
Citizens Memorial is not revealing the number of affected individuals and is enhancing its data security education programs.
Tom Walsh, a veteran healthcare information security professional and president of Tom Walsh Consulting, explains how some other provider organizations, like Citizens Memorial, are not HIPAA-covered entities even if they provide the same services as covered entities.
“Let’s say there are two physician practices “A” and “B” next door to each other and a person is a new patient at both practices. Both practices require the patient to fill out forms with their name, address, phone, age, medical history and more.
“Practice A is a family practice that accepts insurance. Practice B does cosmetic plastic surgery and therefore does not accept insurance because most cosmetic surgeries are not covered by insurance. Practice A must comply with HIPAA and protect the new patient information form as PHI; practice B does not have to comply with HIPAA. The exact same information on the patient form is not considered PHI; and unless there is a state law for data protection, Practice B is not required to do anything special as far as privacy or security.”