Email Account Breach at Charles J. Hilton & Associates P.C. and Nevada Health Centers

University of Pittsburgh Medical Center (UPMC) has made an announcement that the protected health information (PHI) of around 36,000 patients was possibly accessed by unauthorized people after a cyberattack on a firm that offers UPMC legal services related to billing.

In June 2020, Charles J. Hilton & Associates P.C. (CJH) detected suspicious activity in the email account of its staff and began an inquiry. On July 21, 2020, CJH established that hackers obtained access to the email accounts of some of its staff between April 1, 2020 and June 25, 2020.

Computer forensics experts carried out a comprehensive investigation into the breach to find out which information the hackers accessed or acquired. UPMC stated it received a notice concerning the breach last December 2020 validating that attackers obtained the patient data. CJH is presently delivering notification letters to all patients likely impacted by the incident. UPMC mentioned that no system was affected not even its electronic medical record system. The sole information affected was patient data furnished to CJH to deliver its agreed-upon billing-associated legal services.

CJH explained the breached accounts comprised names, birth dates, financial or bank account numbers, State Identification Card Numbers Social Security Numbers, driver’s license numbers, electronic signatures, Medicare or Medicaid identification numbers, healthcare record numbers, patient control numbers, patient account numbers, trip numbers, visit numbers individual health insurance or subscriber numbers, group medical insurance or subscriber numbers, medical benefits and entitlement details, disability access and accommodation, and data connected to occupational-health, drug tests, symptoms, diagnosis treatment, medicines, invoicing or claims, and/or disability.

CJH is giving free credit monitoring and identity theft protection services membership to persons impacted by the breach.

Nevada Health Centers Notifies Patients Concerning Email Account Breach

Nevada Health Centers reported that the PHI of some of its patients was possibly compromised. From November 20 to December 7, 2020, an unauthorized person remotely signed into an employee’s email account containing patient data.

The individual who signed into the account seemed to be from abroad, as one of the login attempts used an IP address from South Africa. The attack seems to be meant to get Nevada Health Centers’ financial data instead of patient health information, though it is likely that patient data was seen or acquired during the attack. Nevada Health Centers stated that there’s no proof found that PHI was accessed or stolen.

The breached email account was found to include patient names along with at least one of these types of data: Address, telephone number, birth date, gender, race, ethnicity, insurance details, appointment data, medical record number, provider name, and service location(s). The number of patients affected by the breach is presently uncertain.