Covenant Care Data Breach Affects 7,858 Patients

Covenant Care has announced that a data breach at their facility has affected 7,858 patients.

Covenant Care is a residential care provider and skilled nursing facilities based in Aliso Viejo, California. The organisation discovered the breach when suspicious activity was detected on an employee’s email account on January 29, 2019. Covenant Care immediately launched an investigation into the breach and contracted a third-party cyber forensics firm to assist with assessing the cause and scope of the breach.

The investigation revealed that the email account was compromised on January 22, 2019. The hacker was able to access the accounts until Covenant Care discovered the attack on January 29 and secured the account. 

The investigators investigated the compromised account to determine what types of information the attacker could access. The report, released on February 13, 2019, stated that the hacker could access all emails and attachments while they had access to the account. The emails contained information about over 7,85p patients.

The information on each patient varied from individual to individual and may have included full name, date of birth, Social Security number, health insurance claim number, medical record number, diagnoses, provider(s) name, treatment location(s), Medicare covered days, Medicare billing amounts, admission and re-admission dates, dates of service, discharge dates, and information related to medical equipment, home health services, outpatient services, and hospice services.

Following HIPAA’s Breach Notification Rule, Covenant Care issued breach notification letters to all patients affected by the breach. The organisation stated that they had not found evidence suggesting that the hacker had used any of the patient information for nefarious purposes. However, out of an abundance of caution, patients were notified and have been offered 12 months of credit monitoring and identity theft restoration services at no charge. Covenant Care stated sending the breach notification letters on March 6, 2019.

Covenant Care reports that strict security safeguards were in place before the breach. They have committed to implementing further controls to increase email security and mitigate the risks of another breach of this kind from occurring again. The organisation will review all technical, administrative, and physical safeguards to identify any vulnerabilities in their system. Covenant Care has stated that they will train their employees on cybersecurity best practices and spotting suspicious emails.