Phishing Scam Leads To Breach at Maryland Clinic

The protected health information (PHI) of more than 16,000 individuals was breached after hackers gained access to data from a Maryland-based clinic group as part of a phishing scam.

Chase Brexton Health, a group of medical and behavioral health clinics based in the Baltimore area, reported the breach to the Office for Civil Rights on October 3 and posted an announcement on its website. The breach affected 16,562 individuals.

The breach was discovered on August 4 after a series of phishing emails were sent to Chase Brexton staff on August 2 and August 3. The emails contained a link to a fake employee survey. Completing the survey gave the hackers access to staff account information. Four staffers completed the survey, and the hackers were able to use the staffers’ login information to reroute paychecks to a bank account. After the incident was discovered, Chase Brexton terminated access to these four email accounts.

The affected inboxes contained PHI as well as payroll information. The PHI included:

• Addresses
• Dates of birth
• Diagnosis codes
• Insurance
• Line of service
• Medication information
• Names
• Patient ID numbers
• Provider names
• Service location
• Visit description

Chase Brexton hired a third-party investigator to conduct an assessment of the breach. The organization also installed new email filters and security protocols and performed additional staff training.

Affected individuals are being offered identity repair services and can call a toll-free hotline at 855-904-5761 for additional information.