Data Breaches Reported by Sunrise Community Health, Katherine Shaw Bethea Hospital and NYC Health + Hospitals

Sunrise Community Health located in Evans, CO uncovered the exposure of a number of employees’ email accounts because of the employees’ response to phishing emails. Unauthorized persons gained access to the email accounts beginning September 11, 2019 up to November 22, 2019.

On November 5, 2019, third party computer forensics specialists assisted Sunrise Community Health to confirm the exposure of the protected health information (PHI) of some patients included in the email accounts. The compromised information of the patients differed from one another but might have contained names, dates of birth, Sunrise provider names, Sunrise patient ID numbers, dates of service, clinical exams done, the findings of those exams, diagnoses, prescribed medicines, and details of health insurance companies.

Sunrise Community Health believes that the reason for the attack was not to get patient details. However, the chance of unauthorized access and the stealing of information cannot be eliminated. It looks like the attackers are looking for invoices and payroll details.

Although the investigation is still in progress, breach notification letters were actually mailed to impacted persons. Sunrise Community Health is giving impacted patients credit monitoring and identity theft protection services free of charge.

Katherine Shaw Bethea Hospital Phishing Attack

Katherine Shaw Bethea Hospital located in Dixon, IL became aware that an unauthorized person has logged into a staff’s email account and likely acquired a spreadsheet containing the 1,486 patients’ PHI.

The spreadsheet included these data: names, birth date, telephone numbers, health insurance carrier names, diagnoses, and clinical data of patients younger than 18 years old who had gone to the emergency department from November 1, 2018 to May 1, 2019.

Katherine Shaw Bethea Hospital has executed more control measures to strengthen email security and all employees were given more cybersecurity training to recognize phishing fraud.

Improper Disclosure Incident in NYC Health + Hospitals

NYC Health + Hospitals is notifying patients who got treatment subsequent to a motor vehicle accident concerning the impermissible disclosure of their PHI to third parties by personnel.

NYC Health + Hospitals was advised on October 3, 2019 concerning a staff who shared patient data to third parties including law firms from 2016 to November 2019.

NYC Health + Hospitals is considering that all persons who obtained services at its hospitals and clinics after a motor vehicle accident could have been impacted. The investigation is still in progress and the staff involved receivedproper disciplinary action.