Based in Dayton, Ohio, Five Rivers Health Centers was victim to a phishing attack that lasted from April to June 2020.
Five Rivers Health Centers began in 2011 as a medical home for low-income patients. They are now a Federally Qualified Health Center (FQHC) that provides cost-effective, comprehensive primary and specialty care to people of all ages in the greater Dayton area regardless of their financial situation. There are currently 8 different locations that serve more than 25,000 patients.
On May 28, 2021, Five Rivers Health Centers notified 155,748 patients that their personal information had been compromised due to a successful email phishing attack. An unauthorized individual accessed email accounts that contained patients’ personal data.
Although the attack occurred in 2020, an extensive forensic investigation into the cyberattack led by a third party confirmed the breach almost a year later, on March 31, 2021. Five Rivers didn’t notify patients until May 28, 2021.
Data included in the breach
The data breach included personal and protected health information (PHI), such as:
- Date of birth
- Patient account number
- Medical record number
- Treatment cost information
- Dates of service
- Test results
- Lab reports
- Provider name
- Health insurance information
- Prescription information
- Medicare or Medicaid numbers
Some patients also had their financial account information, payment information, driver’s license/identification card numbers, and Social Security numbers stolen in the breach.
How did Five Rivers respond?
To protect against future phishing attacks, Five Rivers is providing employees with updated security policies and procedures along with renewed cybersecurity training. Additionally, they are implementing 2-factor authentication.
Five Rivers is also providing free credit monitoring services for an entire year to patients whose Social Security numbers were compromised and reminded them to review their financial information and explanation of benefits statements regularly for fraudulent activity.
Protect against phishing with Paubox Email Suite Plus
Healthcare providers must provide regular cybersecurity training for their employees, but data can still be compromised. Solid cybersecurity protection that includes email security is the only way healthcare providers can protect themselves from a data breach and subsequent HIPAA violations.
SEE ALSO: Why Anti-Phishing Training Isn’t Enough
Paubox Email Suite Plus provides both inbound and outbound email protection, including our patented ExectProtect feature, which stops display name spoofing emails from ever reaching the inbox. It also comes with Zero Trust Email, which requires an additional layer of proof of legitimacy before delivering an email.
Paubox Email Suite Plus also enables HIPAA compliant email by default, sent from your existing email client (such as Google Workspace or Microsoft 365). It ensures that your messages and patient information are safe from breaches. Our HITRUST CSF certified software offers Paubox customers and their patients assurance that their data is protected.
Try Paubox Email Suite Plus for free today.