Email account breach reports were filed by Montrose Regional Health, Acacia Network, and EPIC Pharmacy Network.
Montrose Regional Health
The health system Montrose Regional Health based in Colorado has just begun informing 52,632 patients about the exposure of some of their protected health information (PHI) when unauthorized people got access to employee email accounts. The provider detected suspicious activity in the email account of an employee, which prompted an investigation right away. Helped by a third-party cybersecurity firm, Montrose Regional Health found out that unauthorized persons accessed several employee email accounts from August 2, 2021 to October 26, 2021.
An analysis of the emails and file attachments was done and on February 25, 2022, it was confirmed that the accounts comprised names coupled with at least one of these types of data: inpatient/outpatient status, service date, internal patient account number, cost of treatment, procedure code, name of the provider, and/or medical insurance provider. Montrose Regional Health stated there was no evidence found about the misuse of any data retained in the email accounts.
Acacia Network
Acacia Network just reported a data breach that occurred over 18 months ago and impacted 30,220 persons who got services from the Puerto Rican Organization to Motivate, Enlighten, and Serve Addicts. Based on a February 22, 2022, breach notification, Acacia discovered a breach of its email system on July 17, 2020, and the succeeding internal and forensic investigation confirmed that unauthorized persons accessed email accounts from June 6, 2020 to June 12, 2020.
It wasn’t possible to know whether the unauthorized persons accessed or obtained any data in the accounts; nevertheless, it is likely these types of data were exposed: names, driver’s license numbers, Social Security numbers, addresses, dates of birth, financial account numbers, resident ID numbers, medical record numbers, medical insurance data, Medicare numbers, names of provider, treatment, prescribed medications, and/or diagnostic data.
Acacia mentioned it is providing free credit monitoring and identity protection services to people whose driver’s license number or Social Security number is exposed. It is uncertain why the breach notifications took a long time to be sent.
EPIC Pharmacy Network
EPIC Pharmacy Network based in Mechanicsville, VA just reported a breach of its email system. EPIC stated unauthorized persons accessed two employee email accounts. The forensic investigation and review of documents ended on December 22, 2021.
The forensic investigation affirmed that unauthorized persons accessed two email accounts on August 19, 2021. The accounts included names, birth dates, and health diagnosis/treatment data, which includes but are likely not restricted to prescription data, and also medical ID number(s) and/or medical insurance plan data.
EPIC stated it did not find any evidence of access or misuse of any information in the accounts. After the breach, EPIC had its IT managed services providers put extra security measures to protect against other email attacks.
Notification letters were issued to the 28,776 impacted persons on February 8, 2022, and free credit monitoring services were provided to a number of persons.