Terros Health Phishing Attack Impacts up to 1,600 Patients

by | Jun 14, 2018

A staff member at Phoenix-based Terros Health was tricked by a phishing scam and mistakenly handed over login credentials to the hacker. That person accessed the employee’s email account and may have viewed or obtained a range of protected health information listed in individual emails in the account. The breach was restricted to a single email account and access to other systems was not gained.

Terros Health discovered the phishing attack on April 12, 2018 and alerted the media on June 8. All patients impacted by the breach have now been made aware by mail.

A review into the attack revealed the staff member responded to the phishing email on or around November 16, 2017, which was when the email account was first logged  onto by the attacker.

While up to 1,600 patients may have had some of their PHI compromised due to the attack, for the majority of patients (1,241) the exposed data was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical history numbers, and other protected health information accessed. 142 patients’ Social Security numbers were also present in the compromised email account and could possibly have been viewed or downloaded. Most patients affected by the breach had previously received medical services at its 23rd/Dunlap Avenue medical center.

Patients whose Social Security number was obtained have been offered credit monitoring and identity theft protection services for 1 year for free.

Before the attack, Terros Health had put in place security measures to prevent the unauthorized accessing of PHI, although the phishing attack avoided those controls. Additional steps have now been taken to improve security, policies and procedures have been strengthened, and more security awareness training is being provided to employees.

The company stated this was the biggest data breach it has experienced to date.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy