Email Account Breaches at Alameda Health System, Stark Summit Ambulance and EyeMed Vision Care

Alameda Health System (AHS) based in Alameda, CA, an outpatient, inpatient, emergency, and wellness services provider within the East Bay area, discovered that an unauthorized person had momentarily acquired access to the email account of personnel.

AHS discovered account access for a limited time period on April 8, 2020. The provider discovered the breach on June 17, 2020.

With the help of a top-rated forensic security agency, AHS established the potential compromise of these types of information: names, birth dates, appointment schedules, medical record numbers, limited medical data, health insurance details, Social Security numbers, and driver’s license numbers.

AHS and the forensic investigators didn’t find any information to indicate the misuse or theft of any data for the intention of undertaking identity theft or fraud. However, as a preventative measure, AHS offered the persons whose Social Security number was likely compromised complimentary credit monitoring and identity theft protection services.

AHS filed the breach report to HHS’ Office for Civil Rights and showed that 2,691 people were impacted by the security breach.

Multi-Email Account Breach at Stark Summit Ambulance

Stark Summit Ambulance, which is an emergency and non-emergency medical transport services provider in Central and Northeast Ohio, discovered suspicious email activity on May 28, 2020. Investigating the incident in the next two months revealed that many more email accounts were compromised.

A review of the compromised accounts showed that six accounts contained electronic protected health information (ePHI), which the hacker may have viewed or copied.

The data in the accounts differed from person to person and might have included the names of patients plus one or more of these data elements: Social Security number, state ID number, driver’s license number, passport number, medical diagnosis, medical treatment data, treatment type, location of treatment, clinical data, mental or physical ailment, health care provider/physician name, date of service, medical background details, medical insurance data, Medicare/Medicaid number, other health care payment/expense details, prescription details, bank account, personal identification code or debit / credit card number.

Email Account Breach at EyeMed Vision Care

EyeMed Vision Care LLC based in Ohio is a vision benefits provider, which found out about the unauthorized access to its company email system. The unauthorized individual employed the account to send out phishing emails to persons in the address book. On July 1, 2020, EyeMedVision Care detected the breach and protected the account right away.

A breach investigation affirmed that the unauthorized person obtained email account access on June 24, 2020. The email account contained the ePHI of persons who at the moment or have in the past acquired vision benefits via EyeMed. The following data are included in the account: names, dates of birth, addresses, email addresses, phone numbers, and vision insurance account/identification numbers. A limited number of persons also had their diagnoses and eye conditions, treatment data, and complete or partial Social Security numbers contained in the email account.

It can’t be determined whether any of the details were viewed or acquired by the hacker when the account was accessed. Nevertheless, there is no report received that suggests the misuse of any information. EyeMed Vision Care offered the affected people a 2-year free credit monitoring and identity protection services.

EyeMed has since given its employees more security awareness training and has enforced tougher security steps for authorized access to its system.