PHI of 53,000 Pharmacy Patients Exposed in Email Hack

The protected health information of 53,173 patients who received services from Onco360 and CareMed Specialty Pharmacy has been compromised in an email hacking attack.

The patients were notified after a security breach when suspicious activity involving an employee’s email account was discovered on November 14, 2017.

Third party computer forensics consultants were contracted to conduct an investigation to determine the nature and scope of the HIPAA violation. On November 30, it was reported that the breach has involved three email accounts.

A review of the emails in those accounts showed some messages included the PHI of patients, which could possibly have been seen and obtained by the hacker.

The information possibly included names, demographic information, clinical data, details of medications supplied by the pharmacy, Social Security details and health insurance information. A small number of patients may also have had some financial details accessed.

No reports have been made to suggest any protected health information has been improperly used, although patients have been warned to exercise caution and check their credit reports, account statements, and Explanation of Benefit statements for any evidence of fraudulent activity.  Complimentary credit has also been offered to patients to provide monitoring and identity theft protection services through ID Experts for one year.

The security violation seems to have occurred due to employees opening phishing emails. All employees have now received further guidance to help them recognize malicious emails and email security measures have been enhanced to prevent future breaches.