PHI of 41,000 Patients Compromised in Phishing Attacks at UPMC Altoona and Aurora Medical Center

UPMC Altoona found out about an unauthorized access to the email account of one doctor and the person possibly viewed or obtained the protected health information (PHI) of several patients. The medical center uncovered the phishing attack on February 13, 2020, shortly after the breach of the email account.

The attacker used the account to send other phishing emails. The investigators didn’t get any proof of data theft, nonetheless, it’s likely that PHI was accessed without authorization.

A forensic analysis of the email account affirmed that it held patient information such as demographic facts and some clinical information. No Social Security number, financial information, or medical insurance details were exposed.

UPMC Altoona mailed notification letters to the impacted men and women on April 10, 2020. As per the Office for Civil Rights breach portal summary, there were 13,911 patients affected by the phishing attack.

Phishing Attack on Aurora Medical Center

Aurora Medical Center-Bay Area in Marinette, WI had a phishing attack on January 1, 2020, which led to the compromise of 27,137 patients’ PHI.

Many employees from Aurora Medical Center responded to the phishing email messages. Because the employees disclosed their email account details, the attackers obtained access to their email. The medical center learned about the breach on January 9, 2020 and prompted a password reset to prevent unauthorized account access, then submitted a security breach report to the authorities.

Aurora Medical Center conducted an internal investigation to know which data the attackers accessed. The review of the compromised email accounts showed there were PHI of patients contained in the email messages and attachments. Nonetheless, no report indicated the improper use of any patient information. Even so, the probability of data theft can not be eliminated.

An investigation of the email messages showed that the patients had different PHI included in the account. The compromised PHI possibly included the first, last and maiden names, marital status, date of birth, physical and email address, telephone number, driver’s license number, Social Security number, Medical record number, medical device code, bank account variety, healthcare insurance account number, photo of full face, date of treatment, date of admission and discharge.

Aurora Medical Center already reinforced email security and made available to employees some more security awareness training for proper identification of phishing emails.