Conway Medical Center and Equinox Inc. Email Security Breaches

A phishing attack on Conway Medical Center in South Carolina resulted in the access of the email accounts of several employees by unauthorized people.

Conway Medical Center became aware of the phishing attack on October 7, 2019 and immediately secured the employee’s email accounts to block the further access of unauthorized individuals. Third party cybersecurity specialists looked into the breach to confirm patient data access or theft. According to the investigators, the email accounts were first compromised on or before July 2019.

It was only on November 20, 2019 that the investigators confirmed the exposure of the protected health information (PHI) of patients. The investigators took a long time to manually analyze every email and see if it contained PHI that the hackers accessed.

The attacker synchronized the email accounts with his/her computer to access the information in the accounts, which was probably downloaded automatically. The emails contained information, such as names, Social Security numbers, telephone numbers, addresses, birth dates, dates of patient admission and discharge, sum due, CMC account numbers, and other information. For certain patients, the attacker possibly obtained their names, phone numbers, Social Security numbers, addresses, place of work, and other data connected to their guarantors.

CMC already implemented steps that would improve email security and sent breach notification letters to the impacted patients. People whose financial information was exposed received offers of free identity theft protection services.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights by CMC indicated that the breach impacted 2,550 patients.

PHI of 1,021 Clients of Equinox, Inc. Compromised

Equinox, Inc. in Albany, NY is a service provider to individuals with mental health issues, domestic abuse and chemical dependency. Equinox found out on July 26, 2019 that the email accounts of two employees were compromised. The data security breach came to light after seeing suspicious activity in its digital system.

Equinox quickly protected its systems and retained the services of third-party cybersecurity specialists to look into the matter. On August 28, 2019, the investigators confirmed the unauthorized access of the two email accounts. Then on October 9, 2019, the investigators affirmed the fact that attackers potentially accessed the PHI of 1,021 clients. The PHI included in the email accounts were the clients’ names, birth dates, addresses, Social Security numbers, particulars of medical treatment or medical diagnosis, health insurance information, and/or information related to the medication.

The investigators uncovered no proof that clearly shows the information in the email messages or attachments were accessed or downloaded. There is likewise no report that indicates the improper use of clients’ information.

On December 6, 2019, Equinox notified the people affected by the breach about the incident and offered them absolutely free credit monitoring and identity theft protection services. More security controls had been installed to prevent the same breaches from occurring once more.