A staff member at Phoenix-based Terros Health was tricked by a phishing scam and mistakenly handed over login credentials to the hacker. That person accessed the employee’s email account and may have viewed or obtained a range of protected health information listed in individual emails in the account. The breach was restricted to a single email account and access to other systems was not gained.
Terros Health discovered the phishing attack on April 12, 2018 and alerted the media on June 8. All patients impacted by the breach have now been made aware by mail.
A review into the attack revealed the staff member responded to the phishing email on or around November 16, 2017, which was when the email account was first logged onto by the attacker.
While up to 1,600 patients may have had some of their PHI compromised due to the attack, for the majority of patients (1,241) the exposed data was limited to names and dates of birth. The remaining patients also had their addresses, email addresses, diagnoses, medical history numbers, and other protected health information accessed. 142 patients’ Social Security numbers were also present in the compromised email account and could possibly have been viewed or downloaded. Most patients affected by the breach had previously received medical services at its 23rd/Dunlap Avenue medical center.
Patients whose Social Security number was obtained have been offered credit monitoring and identity theft protection services for 1 year for free.
Before the attack, Terros Health had put in place security measures to prevent the unauthorized accessing of PHI, although the phishing attack avoided those controls. Additional steps have now been taken to improve security, policies and procedures have been strengthened, and more security awareness training is being provided to employees.
The company stated this was the biggest data breach it has experienced to date.