Health Quest announced that it's begun notifying patients whose information might have been exposed in a phishing incident.
According to its website notice, Health Quest first learned of the incident in July 2018 when several employees fell for a phishing attack and thereby inadvertently disclosed their email account credentials to an unauthorized party. The Hudson Valley-based group of nonprofit hospitals and healthcare providers responded by securing the compromised email accounts and retaining a digital security firm to assist with an investigation into what happened.
It also sent some notification letters in May 2019. However, further investigation revealed that some emails and attachments in the then-compromised email accounts might have contained the information of current and former patients as well as employees. That information varied by individual but might have included victims' names, dates of birth, Social Security Numbers, driver's license numbers, health insurance details and payment card data. Upon making this discovery, Health Quest decided that additional notification letters were in order. As it explained in its notice:
We have no indication any patient information was viewed by the unauthorized person or has been misused. However, out of an abundance of caution, we began mailing letters to affected patients on January 10, 2020, and have established a dedicated call center to answer questions patients may have.
In an effort to prevent attacks like the one described above from happening again, Health Quest said that it's implemented multi-factor authentication for email and additional business procedures. It also said that it will begin using security awareness training to educate employees about some of the most common types of phishing attacks that are in circulation today. Health Quest's announcement shortly after Alomere Health in Alexandria, Minnesota disclosed that it had begun notifying patients of an email security incident that involved the compromise of two employees’ email accounts.