BHS Physician Network, comprising First California Physician Partners, Georgia Northside Ear, Nose, and Throat, and Greater Dallas Healthcare Enterprises, experienced two incidents of email-related data breaches as a result of unauthorized third parties accessing their Microsoft Office 365 business account. In the case of BHS, the incident did not impact their Outlook 365 account, which is separate from the affected account.
What happened
In the first incident, discovered between July 28, 2023, and August 15, 2023, an unauthorized third party gained access to the business email account, leading to the exposure of demographic details and medical information. In the second incident, detected on August 11, 2023, a medical assistant's email account was accessed, leading to the compromise of similar data, including full names, dates of birth, medical record numbers, treatment details, and more. It is estimated that 1,857 individuals were impacted.
While these breaches did not involve sensitive information like Social Security numbers or financial details, they did impact various personal data necessary for identification and medical records.
See also: HIPAA Compliant Email: The Definitive Guide
What they're saying
A joint statement was released by BHS regarding their response to the breach: "First California, Georgia Northside, and Greater Dallas Healthcare take the security of personal information seriously. As soon as the incident was discovered, immediate action was taken to mitigate and remediate the incident and to help prevent further unauthorized activity. In response to this incident, security and monitoring capabilities are being enhanced and systems are being hardened as appropriate to minimize the risk of similar incidents in the future."
"We also encourage you to carefully review statements sent from healthcare providers and insurance companies to ensure that all of your account activity is valid. Any questionable charges should be promptly reported to the provider or company with which you maintain the account."
See also: Monitoring encryption and data security measures for HIPAA compliance
What happens next
Following the data breach at BHS Physician Network, Inc., and its affiliated healthcare networks, the immediate steps involve working diligently to bolster their cybersecurity systems and enhance monitoring capabilities to safeguard against similar incidents. They are focusing on fortifying their internal networks and systems to prevent unauthorized access and improve overall security measures.
Additionally, these healthcare entities have set up a dedicated call center and provided a toll-free number to assist and support individuals whose personal information might have been compromised. Affected individuals are encouraged to contact the provided resources to inquire about their specific data exposure, seek guidance, and understand the steps to protect their information.
Notifications are being issued to potentially affected individuals via mail, and the call center will remain active for at least 90 days to provide ongoing support and assistance.
See also: How to respond to a data breach
Kirsten Peremore
