PHI of 138K Persons Compromised Due to 3 Email Security Incidents

Hackers have acquired access to email accounts comprising protected health information (PHI) at Volunteers of America Southwest California, iRise Florida Spine and Joint Institute, and Injured Workers Pharmacy.

Injured Workers Pharmacy

Injured Workers Pharmacy in Andover, MA has lately announced a data breach to the Maine Attorney General. The incident was uncovered on or approximately May 11, 2021, upon observing suspicious activity in a worker’s email account. The pharmacy promptly secured the account and involved third-party computer forensics professionals to look into the incident. The investigation showed the exposure of 7 email accounts from January 16, 2021 to May 12, 2021.

Third-party information review experts were employed to examine the emails and file attachments in the breached accounts, which established they included the PHI of 75,771 people including names, Social Security numbers and addresses. Subsequent to the review, Injured Workers Pharmacy authenticated the results, and that process was done on or about December 14, 2021. The pharmacy started mailing notification letters to impacted persons on February 3, 2022.

Injured Workers Pharmacy explained it has increased its email security procedures and is providing certain affected people free credit monitoring and identity restoration services.

iRise Florida Spine and Joint Institute

The iRise Florida Spine and Joint Institute has uncovered a staff email account made up of the protected health information of 61,595 patients that was accessed by an unauthorized person. The forensic inquiry revealed the hacker obtained access to the email account between February 24, 2021 and February 26, 2021.

An extensive evaluation of email messages and attachments was carried out, and the procedure was finished on November 22, 2021. iRise mentioned these types of data were possibly viewed or obtained during the attack: Names, birth dates, diagnoses, clinical treatment data, doctor and/or hospital name, dates of service, and medical insurance data. The driver’s license numbers, Social Security numbers, financial account details, credit card numbers, and/or usernames and passwords of some persons were likewise exposed.

Impacted people were alerted and a 12-month membership to a credit checking service was provided at no cost to persons whose Social Security numbers were compromised. iRise has assessed its email security steps and has enforced more technical safety measures, such as multifactor authentication. The employees are likewise given supplemental training on email security.

Volunteers of America Southwest California

The social service organization located in San Diego, CA Volunteers of America Southwest California, recently reported it experienced a phishing attack. An employee received an email that seemed to be a voicemail message, that contained a URL to a site that needed the input of sign-in credentials so as to hear the message. The sign-in credentials were snagged and employed to sign into the employee’s email account.

The attackers viewed the email account on or approximately November 16, 2021, and the breach was noticed and addressed on November 16. An assessment of the email account showed it comprised the first and last names of people in many of the cases, with several of the records at the same time having the COVID-19 vaccination status of individuals.

The breach seems to have been completely remediated and third-party professionals were involved to confirm the containment procedures. Email security was improved due to the breach.

The company sent the breach report to the HHS’ Office for Civil Rights stating that 1,300 people were impacted.