On October 5, Health First, Inc., a Florida-based healthcare provider, notified HHS of a breach that affected 42,000 patients. The incident was coded on HHS’s breach tool as hacking/IT incident involving e-mail.
It has taken a while to obtain more details, but DataBreaches.net has now received a statement from Matthew Gerrell, Senior Vice President, Consumer & Retail Services:
Between February and May 2018, a small number of our employees were the victims of a phishing scam which compromised some of our customers’ information. The criminals were able to gain access of these employees’ email accounts for a limited period of time.
Based on a forensic review, it is believed that a limited number of emails were viewed and the criminals did not appear interested in obtaining personal data, but focused on continuing their phishing scam. However, as some accounts contained Protected Health Information (PHI), we have notified the impacted customers.
Once we learned of the event, we blocked the unauthorized access and changed the passwords of the impacted employees’ email accounts. We are initiating new security measures to prevent a similar event from happening again.
We have arranged to have AllClear ID protect impacted customers’ identities for 12 months at no cost to them. This includes identity theft monitoring and identity repair if needed. We apologize for this breach and assure our customers we are doing all we can to protect their health and information.