by Arianna Etemadieh
Article filed in

Alive Hospice Suffers HIPAA Email Breach

by Arianna Etemadieh

hipaa email breach, hipaa email data breach, paubox hipaa breach report

On July 13, 2018, Alive Hospice submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).

Based in Nashville, Tennessee, Alive Hospice’s email breach affected 1,868 individuals’ protected health information.

Alive Hospice is classified as a Healthcare Provider.

According to Alive Hospice’s press release:

On or around December 20, 2017, and April 5, 2018, Alive Hospice experienced email phishing events that affected an employee email account.  Alive Hospice immediately took steps to respond to and investigate these events and, while the investigations found no evidence of unauthorized access to personal information, Alive Hospice took steps to change the user’s password on both occasions, in an abundance of caution.  On or around May 15, 2018, during a review of its email system, Alive Hospice learned of ongoing unauthorized activity in the employee’s email account that may have resulted in unauthorized access to certain personal information.  Alive Hospice immediately commenced an investigation to determine the nature and scope of the incident, as well as determine what information may be affected.  Through the investigation, which included working with third party forensic investigators, Alive Hospice determined that an unauthorized actor(s) gained access to two Alive Hospice employee email accounts.  The investigation determined the unauthorized activity began on or around December 20, 2017, for one user, and on or around April 5, 2018 for the other user.  The investigation also determined that the emails affected by this incident contained personal information.  While the information potentially affected varies by individual, Alive Hospice’s investigation determined that the information that may have been affected includes name, date of birth, Social Security number, passport number, driver’s license or state identification number, copy of birth or marriage certificate, financial account number, medical history information, treatment and prescription information, health insurance information, username/email and password information, biometric identifiers, IRS pin number, digital signatures, and security questions and answers. To date, Alive Hospice has no evidence that any information potentially impacted by this incident was subject to actual or attempted misuse.

The confidentiality, privacy, and security of information in Alive Hospice’s care is one of its highest priorities.  Upon learning that patient information may have been affected by this incident, Alive Hospice commenced an investigation to confirm the nature and scope of the event and identify what personal information may have been present in the affected emails.  With the assistance of third party forensic investigators, Alive Hospice has been working to identify and put in place resources to assist potentially impacted individuals.  While Alive Hospice already has stringent security measures in place to protect information in its systems, Alive Hospice is also implementing additional safeguards to protect the security of information.   

HHS Wall of Shame

The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.

As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.

HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.