On April 5, 2018, Diagnostic Radiology & Imaging submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Located in Greensboro, NC, Diagnostic Radiology & Imaging's email breach affected 800 individuals’ protected health information. Diagnostic Radiology & Imaging is classified as a Healthcare Provider.
According to Diagnostic Radiology & Imaging's press release:
On January 31, 2018, DRI became aware of an impermissible disclosure of limited health information about approximately 800 patients. An investigation revealed that on November 11, 2017, an employee of DRI became the victim of a phishing attack. “Phishing” is a type of cybercrime in which individuals are targeted and tricked into revealing sensitive or confidential information. In this case, an attacker emailed DRI employees using an email address that appeared to be legitimate, and one DRI employee revealed information to the attacker that allowed the attacker to access the DRI employee’s work-related email account. Within that DRI employee’s email account, we found a limited amount of information about patients, including names, a general description of imaging services received (including date, type, and location of imaging service), medical record numbers, and in some cases, email addresses and phone numbers. In just a few cases, the patient’s date of birth was also included. As a result, the attacker gained access to that information. Please note that the attacker did not have access to any of our patients’ Social Security Numbers or other financial information, and for that reason, we do not believe there is any risk of financial harm to our affected patients as a result of this phishing attack. In accordance with DRI policy, and as required by federal law, DRI is notifying affected patients via first-class mail. We take the confidentiality and secure handling of patients’ information seriously. Our investigation involved external forensic investigators as well as attorneys with experience in handling these types of incidents. We have policies and procedures in place regarding the confidentiality and security of patient information, and we train our employees on these policies and procedures on a regular basis. In response to this cybercrime, we have retrained our employees and contractors on our policies and procedures relating to privacy and security. We have also implemented more specific training on phishing and other types of cybercrimes to better educate our employees and contractors. We are very sorry that this happened, and we are taking steps to try to prevent situations like this in the future.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.