Primary Health Care announces email breach one year after discovery
Iowa-based Primary Health Care is notifying patients that a hacker breached four of its employee email accounts, which may have allowed the cybercriminals to view or obtain patient information.
The breach lasted only one day. Officials discovered the unauthorized access of four employees’ email accounts on March 1, 2017, in fact, after access began Feb. 28 of that year. Upon detection, Primary Health Care blocked access to the accounts and began reviewing the contents of the hacked emails.
Primary Health Care also hired a forensic investigator to determine the scope of the breach, including related Google drives. Officials were unable to determine what emails were accessed by the hackers.
The impacted accounts included a combination of patient names, Social Security numbers, phone numbers, driver’s license numbers, financial account details, credit or debit card information, medical information, provider information, and, if applicable, Medicaid identification numbers.
Primary Health Care officials said they’re “working to implement additional safeguards and security measures to enhance the privacy and security of information on its systems.” All victims are being offered one year of free credit monitoring.
The breach is currently not shown on the Office of Civil Rights’ breach reporting tool, so the number of patients impacted is currently unknown.
The notice doesn’t explain why it took officials more than a year to report the incident. This should serve as a reminder that under HIPAA, organizations are required to report a breach within 60 days of the initial time of discovery.