An employee at Bend-based hospice Partners in Care was the victim of an email phishing attack that exposed the private health information of some patients.
Partners In Care discovered the attack on March 4 and did an “extensive” forensic investigation and manual email review, according to a press release. The unidentified employee’s email account was accessed by the phishing attack from Nov. 17 to Dec. 12, and information contained in emails that could have been exposed may have included patient names, dates of birth, medical record numbers, medical information such as a diagnosis, labs, treatment, medications, insurance information and for a limited number of patients, Social Security numbers. Financial information was not part of the contents of the email account.
The hospice organization launched an investigation and engaged external cybersecurity professionals, according to the release. On April 26, the hospice notified affected individuals and offered a toll-free number for assistance. Affected people were also encouraged to review the explanation of benefit statements they received from their health insurance providers and follow up on any items not recognized, and review financial statements frequently.