Phishing Attack on California Vendor Breaches Data of 14,500 Patients
Posted on: Thursday, July 11, 2019 By: KorchekStaff
An employee of vendor California Reimbursement Enterprises fell victim to a phishing attack in March, which potentially breached the data of 14,500 patients, including those from Los Angeles County DHS.
July 10, 2019 - Nemadji Research Corporation, or California Reimbursement Enterprises is notifying 14,591 patients that their data was potentially breached after an employee fell victim to a phishing attack in March.
The California-based vendor provides billing services and patient eligibility for multiple healthcare organizations and hospitals across the state, including the Los Angeles County Department of Health Services.
On March 28, 2019, the IT staff of California Reimbursement Enterprises detected unusual activity on an employee email account. Officials said they contracted with a third-party computer forensics team to assist with the investigation and found an employee fell victim to a phishing email on the day the unusual activity was discovered.
Further, investigation determined a hacker had access to the email account for several hours before access was terminated, which potentially gave the hacker the ability to view or copy the compromised data.
LA County DHS patient information was included in the breached account, such as patient names, medical record numbers, patient account numbers, dates of birth, admission and discharge dates, Medi-Cali identification numbers, and dates of service. Two Social Security numbers were breached, as well as four diagnostic codes.
Since the breach, Nemadj bolstered its cybersecurity, including enhancing its email security and provided employees further training. All impacted patients will receive a year of free credit monitoring and identity theft protection services.
The notification did not explain the delayed breach notification. Under HIPAA, covered entities and business associates must notify patients of data breaches within 60 days of discovery. Recently, the Department of Health and Human Services has cracked down on providers that provide delayed notification.
In January 2017, Presence Health became the first provider fined by HHS Office for Civil Rights for a lack of timely data breach notification.
The healthcare sector continues to struggle with vendor-related breaches. CynergisTek found 20 percent of healthcare data breaches in 2018 were caused by third-party vendors. A Ponemon Institute and Censinet report found more than half of providers have experienced a breach caused by a vendor in the last two years.
Some security leaders have noted providers can bolster third-party risk by building a strong vendor relationship that begins during the contracting process, along with a complete and up-to-date inventory of assets.