Business Associate of Sutter Health Hit in Phishing Attack

by | Feb 25, 2018

Sutter Health is alerting a number of clients that some of their protected health information may have been accessed in a phishing attack on one of its business associates – the Salem and Green legal firm.

On approximately October 11, 2017, a phishing email was opened by an employee at Salem and Green, the reply to which gave the attackers access to that worker’s email account. Upon identifying the attack, a forensics firm was hired to carry out an analysis of the affected computer and network to find the extent of the attack and whether any sensitive information had been downloaded.

The investigation showed the security breach was restricted to a single email account and that access to the account was only open for two days. During the time that the email account was accessible, the attacker could view all emails in the account, some of which contained the protected health information of specific Sutter Health patients.

The sort of information possibly seen by the hacker was restricted to names, dates of birth, driver’s license numbers, Social Security numbers, and other professional ID details.

Outright evidence of data access was not found, although it was also not possible to eliminate data access/theft with a high degree of certainty. Sutter Health believes the risk of data misuse is minimal.

As a precautionary measure, all those impacted by the incident have been offered free credit monitoring and identity theft protection services for one year.

Sutter Health has announced that the legal firm has begun to enhance security to prevent more breaches of this nature and staff have been given security awareness training to help them spot email threats including phishing. The legal firm has also now put in place 2-factor authentication controls on all employee email accounts which will stop account access from unknown sources.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy