Baylor Regional Medical Center at Plano reported a breach to HHS that affected 1,981 patients. The incident, which occurred on January 23, was coded on the breach tool as a “Hacking/IT Incident” with the location of the information identified as e-mail.
A notice on Baylor’s site explains that this was a phishing incident:
Notice to our Patients Regarding “Phishing” Incident
Baylor Regional Medical Center at Plano is committed to protecting the security and confidentiality of our patients’ personal information. Regrettably, this notice is about an incident involving some of that information.
On February 24, 2014, we learned that “phishing” emails were sent to a small group of affiliated physicians who responded to the emails thinking that they were legitimate internal requests on or after January 23, 2014. By responding to the “phishing” email, the affiliated physicians may have inadvertently created an opportunity for unauthorized access to their email accounts. When we learned of this, we immediately secured the affected email accounts and began an investigation, including hiring an outside forensics expert firm. We undertook a comprehensive review of the affected affiliated physicians’ e-mail accounts and confirmed that some of their emails contained patient information and may have included patient demographic information (for example, name, address, date of birth, or telephone number) and limited clinical information (for example, treating physician and/or department, diagnosis, treatment received, medical record number, medications, medical service code or health insurance information), and in a small number of instances, Social Security numbers.
We have no evidence that the information in the emails has been used in any way, however, as a precaution, we began sending letters to affected patients on April 25, 2014 and have established a dedicated call center to assist patients with any questions. If you believe you are affected, but have not received a letter by May 12, 2014, please call 1-888-284-6664 Monday through Friday between 8:00 a.m. and 8:00 p.m. Central Time.
We deeply regret any inconvenience this may cause our patients. To help prevent something like this from happening in the future, we have re-enforced education with our staff regarding “phishing” emails and are reviewing enhancements to the technical safeguards currently in place to further protect employee email accounts from unauthorized access, such as strengthening user login authentication.
The notice does not explain whether it was within Baylor’s policy for physicians to have unencrypted PHI stored in e-mails in physicians’ e-mail accounts.
Interestingly, at around the same time Baylor doctors were falling for phishing attempts in emails that appeared to be from legitimate internal accounts, doctors at Franciscan Medical Group were falling for phishing attempts where the emails appeared to be from Franciscan Health System’s parent company, Catholic Health Initiative. Were these two phishing incidents related? Neither Franciscan nor Baylor shared more details about the phishing emails or the IP addresses they came from, so it’s hard to know.