PHI breaches happen for a number of reasons, whether from human error or phishing attacks, PHI breaches should be a cause for concern for anyone working in the healthcare industry. Under the Health Insurance Portability and Accountability Act (HIPAA) protected health information (PHI) must be safeguarded.
PHI is any individually identifying health information that the Department of Health and Human Services (HHS) classifies into 18 identifiers including names, email addresses, birthdates, treatment information, etc.
Accidental PHI Breach at ASU Results in HIPAA Violation
In July Arizona State University (ASU) emailed students to inform them about renewing their health insurance. The email that was sent to 4,000 students allowed recipients to view the email addresses and names of other students that were sent the email. Failing to mask student names and email addresses is considered a PHI breach.
In an attempt to mitigate the PHI breach, ASU deleted 2,540 of the sent emails, however, many of the emails had already been viewed. To prevent a similar situation from occurring in the future, ASU has made changes to procedures involving PHI such as adding more approval levels for mass distributed emails.
PHI Breach from Phishing Attack
Michigan Medicine is the latest victim of the phishing attack spree hitting healthcare organizations. The PHI of 5,466 patients was exposed in a phishing attack targeting Michigan Medicine employees. A phishing attack occurs when hackers send emails containing a malicious link.
The phishing email in question was sent to 3,200 employees at Michigan Medicine. Three employees clicked on the link that directed them to a website that appeared to be legitimate. The website prompted employees to enter their email login credentials. Once the employees entered in their login information, their email accounts were accessed by unauthorized individuals.
The PHI breach was detected by Michigan Medicine. Michigan Medicine took action by resetting the passwords of all of the employees that received phishing emails. Information compromised by the PHI breach included date of birth, address, treatment information, medical record number, diagnostic information, health insurance information, and some Social Security numbers. Although it is unclear whether or not PHI was viewed or copied, Michigan Medicine is taking the proper measures by informing affected patients and offering them free credit monitoring services. In addition, Michigan Medicine is enhancing security measures and retraining employees to prevent another PHI breach from occurring.
Do You Need Help with Healthcare Cybersecurity?
Compliancy Group gives healthcare providers and vendors working in healthcare the tools to confidently address their HIPAA compliance in a simplified manner. Our cloud-based HIPAA compliance software, the Guard™, gives healthcare professionals everything they need to demonstrate their “good faith effort” towards HIPAA compliance.
To address HIPAA cybersecurity requirements, Compliancy Group works with IT and managed service provider (MSP) security partners from across the country, who can be contracted to handle your HIPAA cybersecurity protection.
Need Help with HIPAA?
Let our complete HIPAA solution handle it.