Email Security Breaches at Orthopaedics Practice, Administrative Advantage, and Parkland Health and Hospital System

The Centers for Advanced Orthopaedics located in Maryland, Washington DC, and Virginia found out that unauthorized persons got access to the email accounts of several workers. On September 17, 2020, the practice noticed suspicious activities in its email program. Investigating third-party cybersecurity experts affirmed that unauthorized individuals viewed a number of email accounts from October 2019 until September 2020.

An analysis of the impacted email accounts was performed to identify the types of information that were compromised and it was established on January 25, 2021 that protected health information (PHI) was potentially accessed or obtained by hackers.

The email accounts included details of patients, staff, and their dependents. Patient records were mostly limited to names, diagnoses, treatment details, and dates of birth. A subgroup of patients additionally had one or more of these data types kept in the account: driver’s license number, passport number, Social Security number, financial account data, payment card details, or email/username and password.

Personnel and dependent data was typically restricted to birth dates, medical diagnoses, treatment details, driver’s license numbers, and Social Security numbers. A part contained at least one of the following information: passport number, payment card data, financial account details, or email/username and password.

Notification letters were mailed to affected persons beginning March 25, 2021. Free credit monitoring and identity restoration services were provided to impacted people.

Guidelines and procedures and security systems are being evaluated and will be modified to strengthen defenses against these kinds of breaches.

Vendor Email Breach Affects Remedy Medical Group Patients

Administrative Advantage, a vendor that provides billing support services to Remedy Medical Group, a pain management specialty practice in California, has learned that an unauthorized person accessed the email account of a worker. The vendor identified suspicious activity in the email account last July 2020 and looked into the occurrence to find out the nature and extent of the breach. The investigating third-party security professionals confirmed on August 18, 2020 that unauthorized persons accessed the email account between June 23, 2020 and July 9, 2020.

The email account affected during the breach included the PHI of Remedy Medical Group patients, including names, financial account data, state identification and/or driver’s license numbers, Social Security numbers, credit and/or debit card data, birth dates, electronic signature details, passport numbers,
username and password data, Medicaid Numbers Medicare Numbers, health record numbers, treatment locations, diagnoses, medical insurance details, and laboratory test data. The types of data possibly compromised differed from patient to patient.

After the breach, security procedures were assessed and more training about email security was made available to the employees. Persons likely vulnerable to identity theft were given access to identity theft protection services for free.

Email Error Impacted Dallas County Jail Inmates

Parkland Health and Hospital System identified an email error that triggered the sending of the PHI of inmates in the Dallas County jail system to someone not authorized to see the data.

The email was dispatched by mistake to a Dallas County worker. It included laboratory test invoices with information, such as the inmates’ first and last name, name of the diagnostic test given, and birth date.

The breach took place in February 2020. The recipient of the email informed Parkland Health and Hospital System officers that he/she did not read the message and permanently deleted it. The hospital notified the affected 1,594 people about the breach.