Over 110,000 Patients’ PHI Compromised Because of Phishing Attacks on Overlake Medical Center & Clinics and VibrantCare Rehabilitation

A phishing attack on Overlake Medical Center & Clinics located in Bellevue, WA in December 2019 caused the potential exposure to personal and protected health information (PHI) of 109,000 patients.

Overlake Medical Center & Clinics discovered the phishing attack on December 9, 2019 and did a password reset to prohibit unauthorized access. Overlake affirmed the unauthorized access of one email account beginning December 6, 2019 up to December 9 which was the time the Overlake secured the account. There were other email accounts compromised on December 9, however, the attacker only had access for a couple of hours.

An examination of the impacted accounts showed they contained the names of patients, addresses, phone numbers, birth dates, medical insurance ID numbers, medical insurance company names, and diagnosis and treatment details regarding the care acquired at Overlake. There were no financial details or Social Security numbers exposed. The investigation found no proof of stolen data and no information was gotten that indicate the misuse of patient information.

Overlake Medical Center & Clinics already took action to avoid the same breaches later on such as boosting email security controls to deter phishing emails, using email account multi-factor authentication, providing better security awareness training for personnel, and enforcing new email retention guidelines.

Overlake began sending notification letters by mail to impacted patients on February 4, 2019. The provider submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights on February 7, 2019.

VibrantCare Rehabilitation Phishing Attack

VibrantCare Rehabilitation, a physical therapy provider in California, learned that the email account of an employee was compromised subsequent to responding to a phishing email.

There was a strange activity seen in the email account, which prompted the engaging of computer experts to look into a possible breach. The investigation showed that an unauthorized individual gained access to the email account starting August 20, 2019 up to August 27, 2019. A careful examination of the email account confirmed that it held the PHI of 1,655 patients.

Different patients had differing types of information compromised. Besides first and last names, the following data might have been compromised: financial account data, credit or debit card details, demographic data, Student identification numbers, Social Security numbers, military identification numbers, driver’s license numbers, government or state identification numbers, passport numbers, alien registration numbers, health and treatment details, medical insurance data, patient numbers, Medical record numbers, Medicaid or Medicare numbers, and prescription details.

There is no evidence of information access or theft identified and there are no reports obtained that suggest the misuse of patient data; nonetheless, as a preventative measure, impacted patients were instructed to keep an eye on their accounts, credit reports and explanations of benefits for fraudulent transactions.

VibrantCare Rehabilitation is presently going over and making improvements to its prevailing policies to avert more phishing attacks down the road.