Email Security Breaches at Conway Medical Center and Equinox Inc.

Unauthorized people accessed the email accounts of a number of employees of Conway Medical Center based in South Carolina.

Conway Medical Center detected the phishing attack on October 7, 2019 and secured the affected email accounts immediately to stop continuing unauthorized access. Third-party cybersecurity professionals investigated the breach to know if there was access or downloading of patient data. The investigators confirmed that the compromise of the email accounts first happened on or before July 2019.

The investigators only confirmed the exposure of patients’ protected health information (PHI) on November 20, 2019, because they had to manually review every email to know if there was PHI contained in the account and if there was unauthorized access.

How the attacker accessed the email accounts was by synchronizing them with the attacker’s computer, and so information might have been downloaded automatically. The information contained in the emails include names, birth dates, telephone numbers, addresses, Social Security numbers, dates of admission and discharge, CMC account numbers, amount due, and other details. For some patients, the attacker possibly acquired the names, addresses, telephone numbers, Social Security numbers, location of employment, and other data associated to their guarantors.

CMC already took the needed steps to enhance email security and mailed notification letters to the affected patients. Persons who had their financial data exposed were offered free identity theft protection services.

CMC submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that the security breach affected 2,550 patients.

1,021 Equinox, Inc. Clients’ PHI Exposed

Equinox, Inc. based in Albany, NY provides services to persons who suffer from chemical dependency, mental health problems, and domestic abuse. Equinox discovered the unauthorized access to the email accounts of two employees on July 26, 2019. The data security breach was detected because of suspicious activity in its digital environment.

Equinox immediately secured its systems and hired third-party cybersecurity professionals to investigate the incident. On August 28, 2019, it was confirmed that unauthorized persons accessed two email accounts. On October 9, 2019, the investigators confirmed the potential access of the PHI of 1,021 present and past clients. The PHI contained in the email accounts included names, dates of birth, addresses, Social Security numbers, details of medical treatment or diagnosis, medical insurance details, and/or medication-related data.

There is no evidence found that indicates access or acquisition of information in the emails or attachments. There is also no report received that suggests the misuse of clients’ data.

Equinox notified the affected people on December 6, 2019 and offered them free credit monitoring and identity theft protection services. Extra security controls were implemented to stop similar breaches from happening again in the future.