Patients of Health Quest notified about July 2018 Phishing Breach

Health Quest, the health system based in Connecticut, fall prey to a phishing attack resulting in exposure of the PHI (Protected Health Information) of a few patients. In July 2018, a number of employees of the Health Quest Affiliates became the target of a phishing attack; and recently this Connecticut-based health system has started notifying the patients that their PHI was possibly compromised during this security incident.

The Health Quest Affiliates, namely Health Quest Urgent Care, Health Quest Medical Practice and Hudson Valley Newborn Physician Services were affected by this breach. The patients receiving medical services from all this mentioned affiliates had their Protected Health Information exposed.

As per the officials of Health Quest, the phishing attack took place in the year 2018, in the month of July. The attack was discovered soon after, and all the accounts were promptly secured once the breach was discovered. Health Quest hired a third-party cybersecurity firm, so that they can extend their help in the investigation.

On Apr. 2, 2019, a breach notice was posted on the website of Health Quest, which mentioned about the discovery of data breach by the Health Quest. It was then revealed that because of this phishing attack, the patient data that was included in emails as well as attachments associated with several employee email accounts have been compromised.

The Protected Health Information that got compromised included names of the patients, diagnoses, dates of service, treatment data, insurance claims details, names of the health insurance provider, and other data related to the medical services acquired from Jan. to June 2018.

Since this phishing attack, Health Quest has implemented the multi-factor authentication and also has strengthened the email security so as to prevent these kinds of breaches in near future. Moreover, Health Quest has mailed breach notification letters to all the affected individuals.

As per Health Quest, "on January 25, 2019, Health Quest Affiliates identified email attachments that contained certain health information, and on April 2, 2019, were determined to contain patient information". However, it is not clear why they take so much time to determine that compromised accounts contained Protected Health Information of patients.

» SPAMfighter News - 6/20/2019