On May 9, 2022, Covenant Care of California reported a data breach stemming from a phishing incident [1] at Wagner Heights Nursing and Rehabilitation Center, located in Stockton, California. According to the company, on February 24, 2022, Covenant learned that an employee at Wagner Heights had “suspicious activity” within her email account. The suspicious activity was discovered to be a successful phishing email that allowed unauthorized entry to the company’s email.
After review, on April 18, 2022, Covenant determined that patient records were in the compromised account at the time of the phishing attack. Covenant is offering identity monitoring services through Kroll. The notice states that there is a deadline for enrollment for these services.
The full text of a sample of the Covenant Notice of Data Breach can be found here.
California Privacy Laws Protect You
If you are a California resident, several laws, including the California Confidentiality of Medical Information Act (CMIA), requires that every health care provider who maintains medical information do so in a manner that reasonably preserves its confidentiality.
Under the CMIA, if you received a recent Notice of Data Breach from Covenant Care California, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices in place to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
Patient Medical Records Are Highly Attractive Targets for Cyber-Criminals
Identity theft is on the upswing. By 2021, there were over 50 million personal records compromised nationwide. Even Equifax and Experian, which are in the business of offering credit monitoring services, have experienced massive data breaches, affecting over 150 million people.
Healthcare providers and health plans have been targeted repeatedly by ransomware groups and other cyber-criminals for the last few years, who use phishing as a way of improperly accessing sensitive data like medical information.
As data held by physician groups, nursing homes, and hospitals is particularly sensitive, these cyber thieves recognize the pressure they can wield by stealing medical files. And when data such as Social Security Numbers and medical records are stolen, cyber thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
When businesses possess confidential medical data, it is vital that they maintain this information with the utmost care and security in mind. Health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” [2]
Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for attacks and to meet their health data breach notification obligations to protect the public.[3]
Not every data breach will lead to identity theft. But once you know your data has been disclosed, it is reasonable to be concerned that your data might be used. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Update
Covenant Care California Reports a Second Subsidiary Affected by Its February Data Breach
On May 17, 2022, Covenant Care of California reported that yet another of its facilities was compromised in a phishing incident on the same date as the Wagner Heights incident reported here last week.
This time, Rehabfocus Home Health, Inc., the licensee of Focus Health, a home health agency (“Focus Health”) was the source of the data breach.
Just like at the Wagner Heights facility, an employee at Focus Health noticed suspicious activity in her email account. The breach started on the same day as at the Wagner Heights location, February 24, 2022, but the cyber-criminal was not discovered as quickly, having unauthorized access from February 24 to March 4, 2022.
Covenant determined that patient records were present in the email account at the time of the compromise.
Covenant is again offering identity monitoring services through Kroll. The notice states that there is a deadline for enrollment for these services.
The full text of a sample of the Covenant Notice of Data Breach can be found here.
As explained above, under the CMIA, if you received a recent Notice of Data Breach from Covenant Care California, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices in place to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
“Patient medical records contain some of our most personal information. They deserve to be protected with the utmost care and attention.
Patients and their families have enough to worry about when they are dealing with a medical issue. The last thing they should have to think about is whether their confidential medical information is being held securely by their health care providers.”
(April M. Strauss, senior California attorney and Certified Information Privacy Professional, calprivacy.com)
[1] What is “phishing”? “Phishing” is a type of scam where a cyber-criminal sends a fraudulent email to trick a person into believing they are interacting with a legitimate business or person so that they will open the email with code that affects their computer or makes them reveal sensitive information.
[2] Seh AH, et al., Healthcare Data Breaches: Insights and Implications. Healthcare. 2020; 8(2):133.
[3] Source: R. Bonta, California Attorney General, BULLETIN: Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and Requirements Regarding Health Data Breach Reporting (2021).
