Data Breach Impacts More Than 23,300 CCPSA Medical Patients

2019, Breaches, January

Who: Critical Care, Pulmonary & Sleep Associates

No. of Accounts Breached: 23,377 patients’ accounts

What was affected: Personally identifiable information, clinical information such as diagnoses and conditions, labs and diagnostic studies, medications, other treatment information. Information shared with CCPSA or other providers with whom CCPSA has communicated and certain insurance information including member and group numbers, costs for services, social security number, and/or driver’s license. Credit card and debit card information was NOT involved.

When it happened: November 23, 2018

How it happened: CCPSA discovered that an unauthorized individual or entity gained access to an employee’s CCPSA email account and used the email address to send phishing emails to individuals in the employee’s electronic contacts seeking fraudulent financial payments.

Outcome: CCPSA immediately began investigating and took immediate action to block further access and to secure the email account and CCPSA’s entire email environment. CCPSA hired a national firm with forensic computer expertise, to assist in the investigation and to determine the nature and scope of the breach.

CCPSA’s forensic investigation concluded on December 14, 2018, and discovered that there was unauthorized access to certain CCPSA accounts between August 14 and November 23, 2018. Importantly, CCPSA’s electronic medical records platform was NOT compromised or accessed by the hacker.

CCPSA immediately began a detailed analysis and review of all potentially compromised emails and files to identify the names of all individuals who were potentially impacted, as well as the type of information included in these files.