14,591 DHS Patients have PHI Compromised in Phishing Attack on California Business Associate

By Elizabeth Hernandez

Nemadji Research Corporation, an outfit working with California Reimbursement Enterprises, has revealed that an unauthorized person obtained access to the email account of a staff emmber and may have viewed or copied the protected health information (PHI).

California Reimbursement Enterprises is a business associate of several healthcare centers and hospitals in California and operates to provide a patient eligibility and billing solution. The company also provides solutions to the Los Angeles County Department of Health Services (DHS).

A possible email account violation was discovered on March 28, 2019 when IT staff identified unusual activity in a workers email account. Nemadji determined, with the help of a third-party computer forensics expert, that the staff member replied to a phishing email the same day and the attacker accessed the account for a number of hours.

All emails in the account were overlooked and on June 5, 2019, Nemadji revealed that patient information had been exposed and notifications were issued to impacted business partners.

The breached email account included emails sent between California Reimbursement Enterprises and DHS with regard to the services provided. Some of those emails included some individuals’ PHI. Nemadji notified DHS about the breach on June 26, 2019 and confirmed 14,591 DHS patients had been impacted.

The information possibly seen or copied was kept to to names in combination with one or more of the following data elements: Address, telephone number, date of birth, medical record number, patient account number, admission date(s), discharge date(s), Medi-Cal ID number, month, and year of service. Four patients also had diagnostic codes exposed and two patients had their Social Security number accessed.

Impacted patients have been offered fee credit monitoring and identity theft protection services and were sent breach alerts as of July 8, 2019.

Nemadji has reassessed its cybersecurity measures and reconfigured them to reduce the risk of further breaches. Staff members have been given more training and email security protections have been strengthened.

Twitter Facebook LinkedIn Reddit Link copied to clipboard
Elizabeth Hernandez works as a reporter for NetSec.news. Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: https://twitter.com/ElizabethHzone