DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Health Quest phishing incident in 2018 results in notification to patients, but why such a long delay?

Posted on June 1, 2019 by Dissent

Today’s Poughkeepsie Journal has a news story about a phishing incident that appears to have been discovered in July, 2018 that affected an unspecified number of Health Quest patients. From the available information, it sounds like Health Quest first discovered email attachments in January, 2019, and then it took them until April 2, 2019 to determine that PHI was involved. They do not explain why, if they first learned of the phishing incident in July, 2018, it took them until January 25, 2019 to discover email attachments and why it then took them more than two more months to discover that PHI was affected. And of course, once they discovered that PHI was involved, it was still another two months until patients were notified. So we’re talking about 10 months from discovery of phishing incident to notification to patients? Although it’s been quite rare, OCR has enforced the 60 day notification rule. So has New York State’s Attorney General. Will either of them enforce it again in this case?

Here is Health Quest’s statement:

Health Quest affiliates Health Quest Medical Practice, Health Quest Urgent Care and Hudson Valley Newborn Physician Services (“collectively Health Quest Affiliates”) are healthcare providers and maintain information related to those services. This notice relates to the Health Quest Affiliates ongoing investigation of an incident that may have involved some patients’ information. This notice explains the incident, measures the Health Quest Affiliates have taken and some steps that can be taken in response.

On April 2, 2019, through Health Quest Affiliates’ ongoing investigation of a phishing incident, Health Quest Affiliates determined an unauthorized party may have gained access to emails and attachments in several employee email accounts that may have contained patient information. Health Quest Affiliates first learned of a potential incident in July 2018, when several employees were deceived by a phishing scheme, which resulted in certain workforce members being tricked into inadvertently disclosing their email account credentials to an unauthorized party. Although these phishing emails appeared to be legitimate, they were sent by an unknown actor and were designed to have the recipients disclose their email account usernames and passwords. Upon learning of the incident, the employee email accounts in question were secured and a leading cybersecurity firm was engaged to assist us in our investigation. As part of the investigation, Health Quest Affiliates performed a comprehensive review of the contents of the email accounts in question to determine if they contained any sensitive information.

Through this ongoing review, on January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information, which may have included names, provider names, dates of treatment, treatment and diagnosis information, and health insurance claims information, related to services some patients received at Health Quest Affiliates between January 2018 and June 2018.

Although, to date, Health Quest Affiliates have no evidence that any information has been misused or was in fact viewed or accessed, Health Quest Affiliates began notifying the potentially affected individuals on May 31, 2019, and we have established a dedicated call center to answer any questions. If you believe you may be affected by this incident but did not receive a letter by June 10, 2019, please call, 1-800-277-0105, Monday through Friday, 9:00 a.m. to 6:30 p.m. EST.

Health Quest Affiliates regret any inconvenience or concern this may cause you. To help prevent a similar incident from occurring in the future, Health Quest Affiliates are implementing multi-factor authentication for email and additional procedures to further expand and strengthen its security processes. Health Quest Affiliates are also providing additional training to its employees regarding phishing emails and other cybersecurity issues.

Related posts:

  • Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted
  • Quest Records LLC breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked
  • Health Quest still first notifying people of July, 2018 breach in January, 2020
  • Victims of W-2 phishing scams (2017 list)
Category: Commentaries and AnalysesHealth DataPhishingU.S.

Post navigation

← NY: Broome County security breach put employees’ and clients’ personal information at risk
Update on American Medical Collection Agency breach: Almost 12 million Quest Diagnostic patients impacted →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.