On August 4, 2021, student health insurance plan, Academic Health Plans, Inc. (the “Health Plan”), published a data incident notification to notify students of a recent email phishing attack. The email phishing attack led to a breach in which students’ protected health information (“PHI”) may have been accessed by an unauthorized third party. The Health Plan completed its investigation on June 4 and determined that the phishing attack occurred between August 6, 2020, and August 24, 2020, and another attack occurred on October 2, 2020. The investigation concluded that the emails contained students’ names, dates of birth, social security numbers, health insurance member numbers, claims information, and diagnoses and treatment information. In response to this data breach, among other measures, the Health Plan provided employees with extensive training regarding phishing email and other cybersecurity issues.
This recent attack on the Health Plan is an important reminder to health plans, health facilities, and healthcare providers of the need of renewed employee training regarding phishing emails and cybersecurity threats. This is especially important given the COVID-19 pandemic, and the focus of those within the healthcare industry on an ever-changing landscape of regulations and new COVID-19 variants. Email phishing attacks are unique and especially crafted because the point of attack is to get users and employees to believe that they are responding to and opening secure emails, sites, and messages. It is important for those in the healthcare industry to remind employees and staff that protecting patient, provider, and customer PHI is still a top priority, despite the pressures of the COVID-19 pandemic.