PHI Exposed in Email Security Incidents at Discovery Practice Management and Peoples Community Health Clinic

Discovery Practice Management Alerts Folks Regarding June 2020 Email Incident

Administrative support services provider Discovery Practice Management to Cliffside Malibu and Authentic Recovery Center facilities based in California has issued notices that unauthorized persons obtained access to the email system it provides for those companies.

Suspicious email activity was noticed in the email environment on July 31, 2020. An investigation into the incident was started which disclosed there were unauthorized logins to personnel email accounts at the two facilities between June 22, 2020 and June 26, 2020.

The accounts were quickly secured and a third-party cybersecurity company was employed to look into the breach yet it wasn’t possible to verify whether or not protected health information (PHI) in the accounts was viewed or copied.

PHI probably exposed included names, dates of birth, addresses, patient account numbers, medical record numbers, health insurance data, financial account/payment card details, driver’s license number, Social Security numbers, and clinical data, for instance, diagnosis, treatment details, and doctor prescribed medicine data.

The company mentioned in its breach notification letter to the California Attorney General that it coordinated with both practices to affirm the contact data for the 13,611 people whose details were possibly compromised. That procedure was done on June 2, 2021. Individuals affected by the breach have now been advised and have been provided a complimentary one-year membership to credit monitoring and identity theft protection support.

Discovery Practice Management believes the attack was not carried out to steal patient records, rather it is assumed to have been intended to redirect invoice payments. Steps have already been taken to boost email security and improved training has been given to the facilities’ employees to recognize and stay clear of suspicious email messages.

Email Account Breach at the Peoples Community Health Center

Peoples Community Health Center based in Waterloo, IA learned that an unauthorized person had accessed the email account of an employee. The provider discovered the suspicious email activity on March 22, 2021 and had third-party cybersecurity professionals investigate the incident to find out the nature and extent of the breach.

The investigation established that an unauthorized individual had accessed only one email account from March 18, 2021 to March 22, 2021. An analysis of the account’s emails and file attachments was done on May 24, 2021. It was determined that these types of data were possibly exposed:

Names, dates of birth, addresses, Social Security numbers, driver’s license numbers, state ID numbers, medical diagnoses, medical treatment data, medical insurance details, payment card numbers and/or payment card CVV/expiration date.

Impacted persons are being informed via mail and steps were taken to avoid the same breaches later on, which include going over and improving policies and guidelines and giving the employees more training.