Confluence Health, a not-for-profit health system that manages Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite health centers in Central and North Central Washington, has suffered a data safety occurrence involving a worker’s electronic mail account that might have led to illegal accessing of patients’ PHI.
The safety breach was noticed on May 29, 2018. A digital forensics company was called in to carry out an inquiry, which disclosed that the electronic mail account had been retrieved by an illegal person on May 28 and May 30, 2018.
The electronic mail account had only a limited amount of PHI and no highly confidential data like Social Security numbers or financial information was disclosed. Patients impacted by the occurrence have had information such as their names and treatment information disclosed.
Confluence Health had many safety solutions in place to avoid illegal account access and workforce had received safety consciousness training, but those measures were sidestepped by the attacker.
Although PHI access was possible, the scrutiny disclosed no proof to indicate that PHI had been thieved and no reports have been received by Confluence Health to indicate there has been any abuse of PHI.
Patients affected by the breach have been informed by mail and additional protections have now been applied to upgrade the safety of its electronic mail system and make sure that any doubtful electronic mail and network activity is noticed more quickly in the time to come.
The breach had been informed to the Division of Health and Human Services Office for Civil Rights. The breach summary shows 33,821 patients were affected.
The occurrence is the latest in a wave of phishing attacks on healthcare companies. In the past two months, phishing occurrences have been informed by the Alive Hospice in Tennessee, Group Benefit Plan in Idaho, Sunspire Health in New Jersey, the Terteling Co., Inc., and Boys Town National Research Hospital.