New Mexico’s Presbyterian Healthcare Services was the victim of a phishing attack on its email system that affected 183,370 individuals, according to the Department of Health and Human Services breach portal.
The not-for-profit healthcare system, with nine hospitals, a multi-specialty medical group with more than 900 providers and a statewide health plan, reported that last month it discovered “unauthorized access was gained through a deceptive email” to some of its staff.
The breach, which occurred around May 9, did not affect Presbyterian’s electronic health records or billing systems. However, the unauthorized access to workforce members’ email accounts included patient and health plan member names and might have contained dates of birth, Social Security numbers and clinical or health plan information, according to a statement from the healthcare organization.
“Presbyterian believes that the unauthorized access to these email accounts was part of a ‘phishing’ scam trying to get information,” states the notification. “Once Presbyterian became aware of this incident, it secured these email accounts, began a thorough review of the impacted emails and alerted federal law enforcement.”
While Presbyterian said it is not aware of any improper use or attempted use of the breached email information, the organization recommended that patients potentially impacted by the phishing attack review the statements they receive from their health plan or healthcare providers regarding medical services.
“If you see any service that you believe you did not receive, please contact the health plan or provider immediately,” emphasizes the notification. “To help prevent this incident from happening again, Presbyterian is taking several steps and implementing additional security measures to further protect our email system.”
In addition, the organization reported that all of its staff must successfully complete mandatory training each year about the importance and requirement to safeguard all information.
“In particular, workforce members have received, and will continue to receive, reminders about safeguarding information stored electronically and how to avoid phishing scams,” concluded the announcement. “We want to assure you that Presbyterian is committed to protecting the privacy and confidentiality of every individual’s information.”