Today’s Poughkeepsie Journal has a news story about a phishing incident that appears to have been discovered in July, 2018 that affected an unspecified number of Health Quest patients. From the available information, it sounds like Health Quest first discovered email attachments in January, 2019, and then it took them until April 2, 2019 to determine that PHI was involved. They do not explain why, if they first learned of the phishing incident in July, 2018, it took them until January 25, 2019 to discover email attachments and why it then took them more than two more months to discover that PHI was affected. And of course, once they discovered that PHI was involved, it was still another two months until patients were notified. So we’re talking about 10 months from discovery of phishing incident to notification to patients? Although it’s been quite rare, OCR has enforced the 60 day notification rule. So has New York State’s Attorney General. Will either of them enforce it again in this case?
Here is Health Quest’s statement:
Health Quest affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services (“collectively Health Quest Affiliates”) are healthcare providers and maintain information related to those services. This notice relates to the Health Quest Affiliates ongoing investigation of an incident that may have involved some patients’ information. This notice explains the incident, measures the Health Quest Affiliates have taken and some steps that can be taken in response.
On April 2, 2019, through Health Quest Affiliates’ ongoing investigation of a phishing incident, Health Quest Affiliates determined an unauthorized party may have gained access to emails and attachments in several employee email accounts that may have contained patient information. Health Quest Affiliates first learned of a potential incident in July 2018, when several employees were deceived by a phishing scheme, which resulted in certain workforce members being tricked into inadvertently disclosing their email account credentials to an unauthorized party. Although these phishing emails appeared to be legitimate, they were sent by an unknown actor and were designed to have the recipients disclose their email account usernames and passwords. Upon learning of the incident, the employee email accounts in question were secured and a leading cybersecurity firm was engaged to assist us in our investigation. As part of the investigation, Health Quest Affiliates performed a comprehensive review of the contents of the email accounts in question to determine if they contained any sensitive information.
Through this ongoing review, on January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information, which may have included names, provider names, dates of treatment, treatment and diagnosis information, and health insurance claims information, related to services some patients received at Health Quest Affiliates between January 2018 and June 2018.
Although, to date, Health Quest Affiliates have no evidence that any information has been misused or was in fact viewed or accessed, Health Quest Affiliates began notifying the potentially affected individuals on May 31, 2019, and we have established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by June 10, 2019, please call, 1-800-277-0105, Monday through Friday, 9:00 a.m. to 6:30 p.m. EST.
Health Quest Affiliates regret any inconvenience or concern this may cause you. To help prevent a similar incident from occurring in the future, Health Quest Affiliates are implementing multi-factor authentication for email and additional procedures to further expand and strengthen its security processes. Health Quest Affiliates are also providing additional training to its employees regarding phishing emails and other cybersecurity issues.