Chase Brexton Health Care, a Baltimore-based group of community health clinics, plans to notify patients about a security incident after four employees responded to a phishing attempt.
A number of Chase Brexton employees received a "bogus employee survey" via email Aug. 2 and Aug. 3, according to the group's online notification. Four employees completed the survey, which provided the unknown perpetrator access to their user account information. The perpetrator used the information to log into the employees' email accounts and re-route their paychecks.
Chase Brexton officials discovered the incident Aug. 4 and terminated access to the affected accounts.
Chase Brexton reported 16,562 individuals were affected in the incident, according to an Oct. 3 submission to HHS' Office for Civil Rights breach portal. Officials do not believe the perpetrator misused emails unrelated to payroll. However, the affected accounts contained health information belonging to several patients, including names, dates of births and insurance information, among other data.
To address the incident, Chase Brexton officials installed new email filters, hired a third-party investigator and trained employees on additional security protocols. Officials also mailed notification letters to potentially affected individuals and established a toll-free hotline to address patient questions.
A Chase Brexton spokesperson told Becker's Hospital Review the group had no additional comment beyond the online notification. To access the full notification, click here.