On April 24, 2018, Scenic Bluffs Health Center, Inc. submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in Cashton, Wisconsin, Scenic Bluffs Health Center's email breach affected 2,889 individuals’ protected health information. Scenic Bluffs Health Center is classified as a Healthcare Provider.
According to Scenic Bluffs Health Center's statement:
Cyber attackers gained limited unauthorized access to one staff email account within the Scenic Bluffs Community Health Centers system and may have obtained some information relating to patients.
The health centers notified 2,889 patients of a potential breach of personal patient information after discovering March 1, 2018, that one staff email account had been hacked on Feb. 28, 2018, by an unauthorized party. This party set up a forwarding mechanism that was immediately disabled. Only 44 emails were forwarded, none of which contained any protected personal patient health information. This account was closed, and the breach was resolved.
Mari Freiberg, CEO, noted that while no substantiated breach occurred relevant to any patient, “Federal law and patient privacy protections require this notification based on the mere prospect that someone’s protected information was viewed.”
Scenic Bluffs Community Health Centers mailed notifications on Monday, April 23, to those identified as having a potential impact by this breach. The information that was potentially obtained may have included personally identifiable information.
Scenic Bluffs Community Health Centers has safeguards in place to ensure the privacy and security of all patient health information. As a result of this breach, however, steps are underway to further improve the security of its operations and eliminate future risk. Freiberg added that the health center is working with an outside and respected cybersecurity firm “to further evaluate our systems and identify solutions based on the ever-evolving landscape.”
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.