Malware, Employee Email Breaches Result in PHI Exposure

One look at the Office for Civil Rights (OCR) data breach portal shows that hospitals, nonprofits, and small community health centers continue to face healthcare data breaches.

Hundreds of thousands of individuals have already fallen victim to healthcare data breaches this year. The Cybersecurity and Infrastructure Security Agency (CISA) recently warned that every organization in the US is at risk from cyber threats. In addition, ECRI predicted that cyberattacks would be the primary hazard in the health technology space this year.


Catholic Hospice, a South Florida hospice center, began notifying 15,000 individuals of an employee email breach that led to potential protected health information (PHI) exposure.

On December 1, Catholic Hospice determined that three employee email accounts may have been compromised. The hospice center engaged with an independent forensics firm “to review the information in the account to identify and extract any protected health information,” the notice said.

Impacted information may have included names, addresses, demographic data, medical information, Social Security numbers, and treatment information.

“Catholic Hospice is taking steps to minimize the risk of this kind of event from happening in the future,”

the notice continued.

“In response to the incident, independent computer forensic experts were engaged to assist with determining the scope and impact of the incident, and passwords were changed on the impacted accounts.”

It is unclear whether Catholic Hospice determined data misuse due to the compromise.


On December 16, 2021, Priority Health in Grand Rapids, Michigan, discovered unauthorized access to some of its Priority Health Member Portal (PHMP) accounts. An investigation revealed that the unauthorized actor may have viewed names, birth dates, phone numbers, email addresses, insurance information, addresses, and limited medical information.

It is unclear how many individuals were impacted as a result of the incident.

“There is no evidence that Social Security Numbers were accessed, and the investigation has not revealed any misuse,”

Priority Health’s notice explained.

“However, out of an abundance of caution, Priority Health has alerted all members and employers who were potentially impacted by this incident and is providing a variety of services and measures to help safeguard those individuals.”

Priority Health temporarily disabled all PHMP member accounts from December 16 to December 21 and later required members to reset their passwords. In mid-January, Priority Health also began requiring multi-factor authentication for all accounts.

In addition to working closely with cybersecurity professionals, Priority Health is offering impacted individuals 24 months of identity theft protection.


Cross Timbers Health Clinics, also known as AccelHealth, provided notice of a malware incident that potentially exposed protected health information. On December 15, 2021, the Texas-based Federal Qualified Health Center (FQHC) discovered that it could not access some files on its servers.

Further investigation revealed that a malware attack had restricted access to certain files between December 9 and December 15.

By January 14, AccelHealth determined that names, Social Security numbers, financial account numbers, health insurance information, medical record numbers, birth dates, addresses, medical record numbers, and treatment information may have been improperly accessed. AccelHealth said it found no actual or attempted misuse of this information.

“Accel takes this incident and the security of personal information in our care very seriously.  As part of our ongoing commitment to the privacy of information in our care, we are implementing additional technical security measures designed to mitigate recurrence of this type of incident,”

the notice stated. 

“We are also reviewing and enhancing existing data privacy policies and procedures.  As an added precaution, Accel is offering credit monitoring for individuals whose information was impacted.”

Impacted individuals should remain vigilant and review account statements and explanation of benefit forms.


Comprehensive Health Services (CHS) in Cape Canaveral, Florida, said it detected unusual network activity on September 30, 2020, following the discovery of fraudulent wire transfers.

CHS “took immediate steps to secure its digital environment and promptly launched an investigation” and determined in November 2021 that some personally identifiable information may have been accessed or acquired.

The information involved included Social Security numbers, names, and birth dates. Since the breached information did not appear to include protected health information, it is unclear how many individuals were impacted.

“There is no evidence of the misuse of any information potentially involved in this incident,”

CHS stated. 

“However, on January 20, 2022, and February 14, 2022, CHS sent notification letters to the individuals whose personal information was potentially involved in this incident for whom CHS had identifiable address information providing them information about what happened and steps they can take to protect their personal information.”

There was no explanation for why it took CHS over a year to notify impacted individuals.