UMass Memorial health, a health care network based in Massachusetts reported a phishing incident that might have leaked personal information of hundreds of thousands of victims. An unauthorised access to restricted employee mail accounts lasted for around seven months, from June 2020 to Jan 2021, before the attack was identified, UMass Memorial said in its statement on the official website. UMass Memorial health consists a medical center, three other healthcare institutes along with a medical group, in a report to Department of Health and Human services mentioned about an email incident affecting around 209,000 individuals.
According to UMass Memorial health, it confirmed the breach (on 7 January) when some employees' mail accounts were accessed by an unauthorised user. The information was posted on HIPAA-Breach Reporting Tool website (belonging to HHS' Office for Civil Rights.' Generally known as the "wall of shame," the website contains health data breaches impacting 500 or more users. The healthcare institute (on 25 August) concluded identifying the affected users whose information might have been leaked.
For patients who have been affected with the breach, the leaked data includes names, ID numbers, subscribers, and election beneficiary information. Whereas for few individuals, driver's license number and social security numbers were also there in the breach. For health plan participant victims, the leaked data includes names, dob, health insurance information, medical record numbers and treatment information, like date of service, diagnoses, prescription information, procedure information and provider names. According to UMass, it does not have any evidence that any information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised.
UMass also says that there is no proof to suggest data misuse, however, the affected individuals would be offered one year complimentary credit and identify monitoring. "UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication," reports Gov Info Security.
