Primary Health Care Reports Unauthorized Access to Multiple Email Accounts

by | Mar 20, 2018

Primary Health Care Inc., a non-profit network of community health oganizations based in Des Moines, Marshalltown and Ames, IA, has found that malicious actors have obtained access to the email accounts of four staff members and have possibly viewed or gained patients’ protected health data.

Primary Health Care released a press statement and uploaded a substitute breach notice to its online portal on March 16, 2018 explaining the breach occurred on February 28, 2017. The breach was identified the next day on March 1, 2017. Primary Health Care is in the process of notifying affected patients and will be reporting the incident to the Department of Health and Human Services’ Office for Civil Rights (OCR). No explanation is given as to why the breach took 12 months to report, although the timing of the breach notice suggests the year referred to in the breach notice may be a typo and that the breach took place this year.

Primary Health Care reacted quickly to the breach and terminated access to the compromised email accounts and contracted a third-party computer forensics expert to complete an investigation into the attack. The investigation showed that access to four email accounts and their associated Google Drives was obtained by the attacker(s), although it was not possible to tell if any emails were downloaded and if any protected health information was seen.

A review of the email accounts revealed they incorporated information such as patients’ names along with driver’s license numbers, Social Security details, diagnoses, treatment information, medical records, health insurance/payor information, facilities and providers attended, financial account numbers, credit/debit card numbers, dates of service, and in some instances, Medicaid numbers.

No proof has been found to suggest any information has been improperly used, although as a precautionary measure, affected people have been offered one year of identity theft protection services through AllClear for free.

Primary Health Care iscurrently implementing additional security measures to strengthen the privacy and security of its information systems to avoid further breaches of this manner.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy