Chase Brexton Health Care in Maryland recently notified 16,562 patients after four employees fell for a phishing attack. The phishing emails were sent on August 2 and 3, and by August 4, the attackers had re-routed employees’ paychecks.
Of note, there was no evidence that the attackers were seeking – or ever accessed or viewed – any emails with patient information that may have been in the employees’ inboxes, but because the data were in the inboxes, Chase Brexton decided to notify all potentially affected patients. Curiously, perhaps, their notice mentions “several” patients, but they notified HHS that they notified 16,562 patients. Why so many? And if that number is accurate, why do Chase Brexton employees have so much PHI sitting in their emails?
The following is the full text of the notice that appears on their web site.
Notice of Data Security Incident
(“Chase Brexton”) recently discovered an event that may affect the security of personal health information within its environment. While Chase Brexton is unaware of any actual or attempted misuse of the personal health information in relation to this incident, this notice is meant to provide information about the event, steps taken since discovering the incident and what potentially affected individuals can do to better protect against identity theft and fraud.
What Happened?
Between August 2, 2017, and August 3, 2017, a number of Chase Brexton employees received a bogus employee survey via email. Using a tactic known as ‘phishing’, the bogus survey would give an unknown perpetrator access to employee user account information if employees completed the survey. Before the bogus email and survey were discovered, the survey had been completed by four Chase Brexton employees. The unknown perpetrator(s) logged in to these four Chase Brexton employees’ accounts and used their login information to re-route the employees’ paychecks to the unknown perpetrator(s) bank account. When this was discovered on August 4, we terminated access to these accounts immediately. While the investigation is ongoing, it was determined that unauthorized access to the employee email accounts occurred on August 2 and August 3, 2017.
Chase Brexton does not believe that the unknown perpetrator(s) looked at any emails that were not related to payroll, however, there is no way to know which messages in the email were or were not read. It was determined that these email boxes did contain personal health information from several patients, including the following: patient name, patient ID number, date of birth, address, provider name, diagnosis codes, line of service, service location, visit description, insurance, and medication information.
What Are We Doing?
Obviously, this is a serious situation. At Chase Brexton, we regard privacy and the security of your health
information as privileged information and essential to our patients’ care. Therefore, we have:
- Changed the passwords for the four email accounts so that the unknown perpetrator(s) cannot access them.
- Hired a third-party investigator to assess the situation.
- Installed new email filters.
- Trained employees and added security protocols to stop this from happening in the future.
- Mailing written notice to all potentially affected individuals for whom address information could be determined.
- Notified the U.S. Department of Health and Human Services and the Maryland Attorney General about this incident.
Although no electronic health records were read and we do not believe anyone viewed your health information, we want to be sure you are protected. We are offering you identity repair services out of an abundance of caution.
What Can You Do?
Although we do not anticipate any issues, affected individuals can take extra precautions by monitoring their statements and accounts for any irregular activity.
More Information
We know that you may have questions and concerns regarding this incident. We have established a toll-free hotline to provide you information regarding this incident. The hotline is available from 9 am to 9 pm ET, Monday through Saturday, at 1-855-904-5761.
Our first priority is your health and care. We are deeply sorry this has happened and apologize for any inconvenience or concern this incident may cause.