Health First employees were duped by phishing scam earlier this year

Health First, a Florida-based healthcare provider, has alerted the US Department of Health and Human Services (HHS) to a security incident that may have compromised the personal data of around 42,000 patients.

The non-profit community health system, which operates four hospitals in Brevard County, said a “small number” of employees fell victim to a phishing scam between February and May 2018.

In a statement to The Daily Swig, Matthew Gerrell, senior vice president of consumer and retail services for Health First, said criminals were able to gain access to these employees’ email accounts for a “limited period of time”.

“Based on a forensic review, it is believed that a limited number of emails were viewed and the criminals did not appear interested in obtaining personal data, but were focused on continuing their phishing scam,” Gerrell explained.

“However, as some accounts contained protected health information (PHI), we have notified the impacted customers.”

An entry in the Office for Civil Rights’ Breach Portal indicates that 42,000 patients were affected by incident.

After learning of the event, Gerrell said the healthcare provider blocked the unauthorized access and changed the passwords of the impacted employees’ email accounts.

Health First is offering impacted customers identity theft monitoring through AllClear ID for 12 months.

“We apologize for this breach and assure our customers we are doing all we can to protect their health and information,” Gerrell said.

RELATED Security incident at US federal health insurance system affects 75,000 consumers