[BreachExchange] California healthcare data breach could impact nearly 200, 000 patients

Destry Winant destry at riskbasedsecurity.com
Mon Jan 27 10:00:51 EST 2020 

https://portswigger.net/daily-swig/california-healthcare-data-breach-could-impact-nearly-200-000-patients

The personally identifiable information of nearly 200,000 current and
former patients of a California healthcare network may have been
compromised following a phishing campaign that successfully targeted
employee accounts.

A potential data breach at PIH Health – operator of 10 hospitals,
urgent care centers, and other facilities across southern California –
was first uncovered on June 18, 2019.

This prompted the Whittier-based healthcare organization to secure its
email system and network, including resetting passwords for
potentially affected employee accounts.

The investigation into the breach revealed on October 2 that certain
employee email accounts has indeed been accessed without authorization
between June 11 and June 18, following a targeted phishing campaign.

On November 12, the healthcare provider said it became clear that the
email accounts in question may have contained the personal data of
current and former patients.


PIH Health said it started notifying potential victims by letter on
January 10, in a security alert issued on the same day.

Some 199,548 individuals may have been impacted by the incident,
according to the US Department of Health and Human Services’
healthcare data breach portal.

PIH Health said it was implementing additional security measures to
prevent a similar security incident from happening in the future.

The company has also established a toll-free call center to field
questions about the incident, and is offering complimentary credit
monitoring services to some potential victims.

As of January 10, when the security alert was issued, the healthcare
facility said it was “not aware, and the independent forensic
investigation did result in the identification of, any evidence that
information involved in this incident has been misused.”

The Daily Swig has contacted PIH Health for an update on its investigation.

More information about the BreachExchange mailing list