Phishing attack exposes medical information for nearly 15,000 patients in Los Angeles County

July 12, 2019
Medicare Web

The Nemadji Research Corp., a patient eligibility and billing service based in Minnesota, announced on July 8 that the protected health information of thousands of patients may have been exposed earlier this year after a Nemadji employee fell victim to a phishing attack. Those affected by the breach include 14,591 patients in Los Angeles (L.A.) County, according to the L.A. Times, as the L.A. County Department of Health Services contracts with Nemadji to verify patient eligibility for programs that could cover the cost of patients’ care.

According to Nemadji, the breach occurred on March 28 when an employee fell victim to a phishing email, thus allowing an unknown individual to access the employee’s email for several hours that day. Although information in the email account was encrypted at the time of the incident, encryption keys or similar variations were included in the account.

Nemadji investigated to determine whether any personal information was stored in the account, and on June 5, it found the first instance of personal information that may have potentially been compromised. Exposed information included first and last names and one or more of the following items:

  • Addresses
  • Admission/discharge dates
  • Aid categories
  • Claim numbers
  • Dates of birth
  • Diagnosis codes
  • Group names
  • Group numbers
  • Insurance information
  • Medicaid/Medicare/other identification numbers
  • Medical record numbers
  • Patient account numbers
  • Social Security numbers
  • Subscriber names

Nemadji said in its announcement that it is not currently aware of any actual or attempted misuse of personal information stemming from the incident, but it is offering credit monitoring and identity protection services to any potentially impacted individuals.

Related Topics: 
HIPAA