PHI Exposed Due to Breaches at Cano Health and the Department of Behavioral Health and Intellectual Disability Services

Cano Health, a population health management firm and healthcare service provider located in Florida, reported that an unauthorized individual got access to the email accounts of three workers by creating a mail forwarder the email accounts which directed emails to other addresses.

Caro Health became aware of the data breach on April 13, 2020, nevertheless, the investigation findings showed that the accounts were compromised two years earlier, some time in May 18, 2018. That means every email that was sent to and from the email accounts from May 18, 2018 to April 13, 2020 are presumed to have been acquired and were possibly accessed.

An evaluation of the emails affirmed that they held private and protected health information (PHI) for instance names, contact details, dates of birth, medical details, insurance data, government identification numbers, financial account numbers and/or social security numbers.

Cano Health is notifying impacted people and has instructed them to periodically check their accounts and benefits statements for indications of fake transactions. Cano Health is going to give impacted patients credit monitoring services at no cost.

Cano Health is working to strengthen email security. The Department of Health and Human Services’ Office for Civil Rights hasn’t published the breach details on its portal yet, thus it is uncertain at this point how many individuals have been impacted.

Phishing Attack on City of Philadelphia Affects 33,376 Patients

The City of Philadelphia’s Department of Behavioral Health and Intellectual disAbility Services (DBHIDS) reported a cyberattack that led to the exposure of the PHI of 33,376 persons.

On March 31, 2020, DBHIDS noticed suspicious actions in the email account of an employee, though the breach investigation affirmed that there were two email accounts compromised on April 2, 2020. The phishing attack investigation is still in progress and forensics professionals are already analyzing the email accounts, though there is no proof yet showing the hackers accessed or exfiltrated patient information.

The breach impacts patients having mental disabilities who had formerly gotten services from the Division of Intellectual disAbility Services (IDS). The kinds of data exposed varied from one patient to another and might have contained data elements like names, addresses, birth dates, Social Security numbers, medical insurance details, account and/or medical record numbers, diagnoses, provider names, service dates and short descriptions of the services the person had or were obtained from IDS. The copies of birth certificates and Social Security cards of a number of patients were likewise exposed.

DBHIDS will mail the notification letters to impacted persons in the forthcoming weeks and will provide free credit monitoring services.

To avoid identical breaches later, a number of steps were undertaken. Further education will be given to workers to enable them to identify phishing emails. Campaigns to track network activity were improved.