Primary Health Care Reports Illegal Access to Several Email Accounts

March 22, 2018


Primary Health Care Inc., a non-profit network of community health organizations situated in Des Moines, Marshalltown, and Ames, IA, has noticed that hateful actors have obtained access to the electronic mail accounts of four staff members and have probably seen or gained patients’ safeguarded health data.

Primary Health Care issued a press statement and uploaded an alternate breach notification to its online portal on March 16, 2018, describing the breach happened on February 28, 2017. The breach was known the next day on March 1, 2017. Primary Health Care is in the process of informing impacted patients and will be informing the occurrence to the Division of Health and Human Services’ OCR. No justification is given as to why the breach took 12 months to inform, even though the timing of the breach notification indicates the year referred to in the breach notification might be a typographical error and that the breach occurred this year.

Primary Health Care responded swiftly to the breach and ended access to the undermined electronic mail accounts and hired a third-party computer forensics specialist to finish an inquiry into the attack. The inquiry demonstrated that access to four electronic mail accounts and their related Google Drives was obtained by the attacker(s), even though it was impossible to say if any electronic mails were downloaded and if any PHI was viewed.

An analysis of the electronic mail accounts disclosed they included information like patients’ names together with driver’s license numbers, dates of service, credit/debit card numbers, financial account numbers, facilities and providers attended, health insurance/payer information, medical records, treatment information, diagnoses, Social Security details, and in some instances, Medicaid numbers.

No proof has been found to indicate any information has been wrongly used, even though as a precautionary measure, impacted people have been offered one year of identity theft protection facilities through AllClear for free.

Primary Health Care is currently applying additional safety measures to reinforce the secrecy and safety of its information systems to prevent additional breaches of this type.