Phishing Incident Affects Patients of Confluence Health

A not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington, has experienced a data breach incident involving a staff member’s email account that may have lead to unauthorized accessing of patients’ protected health information.

The security breach at Confluence Health was discovered on May 29, 2018. A digital forensics consultancy was contracted to conduct an investigation, which showed the email account had been accessed by an unauthorized person on May 28 and May 30, 2018.

The email account only included a restricted amount of protected health information and no highly sensitive data like Social Security numbers or financial information was accessed. Patients affected by the breach have had information such as their names and treatment information targeted.

Confluence Health had a number of security solutions in place to stop unauthorized account access and staff had been given security awareness training, yet those measures were bypassed by the hacker.

While PHI access could have taken place, the investigation showed no evidence to suggest that PHI had been stolen and no reports have been registered with Confluence Health to suggest there has been any inappropriate use of PHI.

Patients impacted by the breach have been alerted by mail and additional security measure have now been put in place to enhance the security of its email system and ensure that any suspicious email and network activity is detected more quickly in the future.

The breach had been reported to the Department of Health and Human Services Office for Civil Rights (OCR) , although the number of patients affected by the incident has not yet been revealed publicly.

The incident is the most recent in a spate of phishing attacks on healthcare groups. In the past eight weeks, phishing incidents have been reported by Sunspire Health in New Jersey, The Alive Hospice in Tennessee, the Terteling Co., Inc., Group Benefit Plan in Idaho, and Boys Town National Research Hospital.