On August 31, 2018, Hopebridge submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Based in Carmel, IN, Hopebridge’s email breach affected 1,411 individuals’ protected health information.
Hopebridge is classified as a Healthcare Provider.
According to this report about Hopebridge’s breach:
A security breach was detected on July 19, 2018 prompting a thorough investigation. A leading third-party computer forensics firm was engaged to assess the nature and scope of the breach and all accounts and systems were immediately secured to lock out the attacker.
The investigation revealed several employees had been fooled by phishing emails that had been sent between March and July 2018. Several email accounts were compromised as a result of employees’ responses to those emails. An analysis of the compromised email accounts revealed they contained a limited amount of patients’ PHI – Their names, the services they received from Hopebridge, and an inferred autism diagnosis.
The results of the forensic investigation suggest that it was not the intention of the attacker to gain access to PHI, instead the attacks appear to have been an attempt to gain access to employees’ financial information.
…The breach has prompted Hopebridge to implement stronger access controls, IP address whitelisting, and 2-factor authentication on email accounts. Hopebridge is also now masking patient names on internal emails and reports.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.