[BreachExchange] Data breach hits Essentia Health

Destry Winant destry at riskbasedsecurity.com
Fri Jul 12 09:57:09 EDT 2019 

https://www.duluthnewstribune.com/business/healthcare/3831695-Data-breach-hits-Essentia-Health

More than 1,000 Essentia Health patients may be among those victimized
in a large-scale data breach, the health system announced Wednesday.

Nemadji Research Corp., a health data management business based in
Bruno, Minn., fell victim to a phishing attack earlier this year that
allowed outside access to medical information to 14,591 patients, the
Los Angeles Times reported on Tuesday.

In a news release, Essentia Health said it has notified its patients
whose information may have been compromised. Essentia formerly
contracted with Nemadji to assist with billing services, according to
the news release, but no longer does so.

“Essentia Health is not aware of any actual or attempted misuse of
this information, but as a trusted health care provider, it is
important to us that our patients are made aware of this disclosure so
they can take steps to protect themselves,” the news release stated.

In the event of a breach, health care providers are required under
HIPAA to notify affected individuals, the U.S. Department of Health &
Human Services; and, in some cases, the news media.

All of the affected patients are being offered free credit-monitoring
services, the news release added.

Essentia Health had provided Nemadji with information about some of
its patients to “ensure prompt and appropriate delivery of these
services,” it stated.

In a statement on its website, Nemadji said it identified “unusual
activity” in an employee’s email account on March 28 and turned to a
computer forensics expert to investigate. The investigator found that
someone had access to the employee’s email account for several hours
on that date after the employee fell victim to a phishing email.

On June 5, the company identified the first instance in which personal
information “may have been accessible,” and began notifying its
clients, the website announcement stated.

The data breach goes far beyond Essentia. The Los Angeles Times
reported, for example, that thousands of patients of Los Angeles
County’s hospitals and clinics may have been affected.

Exposed data in Los Angeles County included patient names, addresses,
dates of birth, medical record numbers and Medicaid identification
numbers, the Times reported. In two cases, patients’ Social Security
numbers were revealed.

More information about the BreachExchange mailing list