Health Quest, which is presently a part of Nuvance Health, learned that the impact of the phishing attack in July 2018 was more extensive than first believed.
Some staff were deceived into revealing their email account details by phishing emails, therefore letting unauthorized persons to access their accounts. A prominent cybersecurity company helped with the investigation to find out if there was a breach of patient data.
In May 2019, Quest Health found out that the email messages and attachments in the breached accounts contained 28,910 patients’ protected health information (PHI) therefore the health system dispatched notification letters to the impacted people. The details contained in the breached accounts included patient names, contact details, claims data, and some medical information.
Another investigation of the breach showed on October 25, 2019 the compromise of yet another email account of an employee containing PHI. As per the substitute breach notification published on the Quest Health site, the compromised details were varied from one patient to another, nevertheless, the names and one or more of these data elements might have been included:
Birth dates, driver’s license numbers, Medicare Health Insurance Claim Numbers (HICNs), Social Security numbers, provider name(s), treatment dates, treatment and diagnosis data, medical insurance plan member and group numbers, medical insurance claims data, financial account data with PIN/security code, and payment card data.
There is no proof uncovered that unauthorized persons viewed patient information. There is likewise no report acquired about the misuse of patient data. For security reasons, on January 10, 2020, Health Quest mailed another notification letter to patients.
As a result of the breach, Quest Health currently implements multi-factor authentication for email accounts and toughened security systems and offered staff more training about phishing and other cybersecurity concerns.
There is no certain statement as to the number of more patients were impacted by the breach. To date, the number of people impacted as stated on the HHS’ Office for Civil Rights breach portal is still 28,910 people.