On March 25, Christie Business Holdings Company, P.C. (“Christie Clinic”) disclosed a breach. As DataBreaches.net reported the next day, the clinic reported that an unauthorized actor had gained access to one business email account between July 14, 2021 and August 19, 2021. Christie’s investigation indicated that the intent of the attacker may have been to intercept a business transaction between Christie Clinic and a third-party vendor. In any event, that account contained protected health information, and today, HHS added the incident to their public breach tool.
From their entry, it appears that Christie Clinic reported the incident to HHS on March 25, the same day they issued a press release and a notice on their web site. What we learned today is that they have notified 502,869 patients because of that incident.
Did one business email account really contain unencrypted PHI on more than half a million patients? Ouch.