Email Security Breaches at Shields Health Solutions and Lafayette Regional Rehabilitation Hospital

Shields Health Solutions Email Account Breach

Shields Health Solutions located in Stoughton, MA provides covered entities and hospitals with specialty pharmacy services. Unauthorized access of an employee’s email account probably allowed the hacker to view or copy the protected health information (PHI) contained in the account.

Shields Health Solutions spotted dubious activity in the email account of the employee on October 24, 2019. A cybersecurity firm inspected the incident and stated that the account was accessed by an unauthorized individual from October 22 up to October 24, 2019. The breach only affected one email account.

The email messages and attachments in the account contained the names of patients, birth dates, names of providers, medical record numbers, clinical information, prescription information, insurance company names, and minimal claims information. There is no proof that indicates patient data access or copying by the hacker.

Shields Health Solutions upgraded its email security by implementing multi-factor authentication on all employees’ email accounts and mailed notification letters to all affected individuals on December 16, 2019. The HHS’ Office for Civil Rights (OCR) breach portal has not posted about the breach yet thus the actual number of affected individuals is not yet completely identified.

Lafayette Regional Rehabilitation Hospital Email Breach

In July 2019, Lafayette Regional Rehabilitation Hospital located in Lafayette, IN learned about unauthorized access to an employee’s email account resulting in the potential viewing of patients’ PHI.

As soon as the hospital knew about the breach on November 25, 2019, prompt investigation of the incident was started to ascertain if unauthorized persons viewed any patient information. There is no certainty that the hackers viewed or copied patient data, nevertheless, there is a possibility that it happened. The information contained in the compromised email account included names, birth dates, clinical information and treatment details linked to medical services availed at the hospital. The Social Security number of several patients were likewise compromised.

On January 24, 2019, the hospital mailed breach notification letters to affected patients and offered those who had their Social Security numbers compromised free credit monitoring services. Further action taken by Lafayette Regional Rehabilitation Hospital included improving email security and reinforcing employee training on security awareness.

OCR already received the breach report which stated that approximately 1,360 patients were affected.