Email Account Breaches Reported by University of Minnesota Physicians and McLeod Health

HIPAA Journal

Steve Alder

University of Minnesota Physicians has suffered a phishing attack that allowed unauthorized individuals to gain access to the email accounts of two employees. One email account was accessible between January 30 and January 31, 2020 and the other on February 4, 2020 for a short period of time.

Upon discovery of the breach, the accounts were immediately secured, and third-party forensic investigators were engaged to assess the nature and scope of the breach. The review did not uncover any evidence to suggest emails in the accounts had been viewed or patient data obtained, but it was not possible to rule out data access with a sufficiently high degree of certainty.

A review of the compromised accounts revealed they contained the protected health information of certain patients. The types of information in the accounts varied from patient to patient and may have included name, address, date of birth, date of death, date of service, telephone number, medical record number, account number, payment card number, health insurance information, and medical information. A limited number of individuals also had their Social Security number exposed.

Notification letters...

Get the Morning Update

Thanks for subscribing!