Health Care Companies Impacted by Phishing Attack
- Focus Health
- RehabFocus Home Health
- Elevate Health Group
- Choice Home Health
- San Diego Home Health
On June 22, 2022, Covenant Care California, LLC issued a third Data Breach Notice to the California Office of the Attorney General, as the list of affected health care facilities operated by the Covenant Care data breach continues to expand.
Covenant Care, based in Aliso Viejo, California, provides home health services that include skilled nursing, physical therapy, occupation therapy, home health aide assistance, personal care services, and lifestyle management.
According to the company, in February 2022, Covenant Care discovered “suspicious activity” in an employee account. After investigation, Covenant Care determined that an unauthorized actor had accessed email accounts associated with its Home Health division at various times between February 24, 2022 and March 22, 2022.
A sample of the Covenant Care Notice of Data Breach can be found here.
Covenant Care is offering identity monitoring services through Kroll. The deadline for enrollment for these services is found on the notices.
An evolving story . . .
Almost two months ago, on May 9, Covenant Care reported that a data breach occurred at its Wagner Heights Nursing and Rehabilitation Center, where “an unauthorized actor(s) gained access to [an] employee’s email account for several hours via a phishing email on February 24, 2022.” (A phishing attack is typically a fraudulent email designed to infect computer systems or trick the recipient into revealing sensitive information.)
Just over a week later, on May 17, Covenant Care reported that another of its facilities was affected. This time, RehabFocus Home Health, Inc. was the source of the data breach. Just like at the Wagner Heights facility, Covenant Care determined that an employee’s email account had been breached through a successful phishing attack.
The breach started on the same day as at the Wagner Heights location, February 24, 2022, but the cyber-criminal was not discovered as quickly, having unauthorized access from February 24 to March 4, 2022.
Now, Covenant Care is reporting yet more affected facilities. Covenant Care’s latest Data Breach Notice expands the potential patients affected to those who have received services from its Home Health services division.
Covenant Care’s Home Health operations include Focus Health, Elevate Health Group, Choice Home Health, and San Diego Home Health. Covenant Care now reports that the hacker gained access to multiple email accounts “at various times between February 24 and March 22, 2022.”
Covenant Care Reported a Similar Data Breach in 2019
This is not Covenant Care’s first reported data breach. In fact, Covenant Care reported a similar data breach in 2019 that compromised detailed patient information. In that breach, Covenant Care determined that, from January 22, 2019 to January 29, 2019, an “unauthorized actor was able to login to the email account leveraging compromised user credentials.”
Patient Medical Records Are Highly Attractive Targets for Cyber-Criminals
Healthcare providers and health plans have been targeted repeatedly by ransomware groups and other cyber-criminals for the last few years, who use phishing as a way of improperly accessing sensitive data like medical information.
As data held by physician groups, nursing homes, and hospitals is particularly sensitive, these cyber thieves recognize the pressure they can wield by stealing medical files. Cyber thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
When businesses possess confidential medical data, it is vital that they maintain this information with the utmost care and security in mind. Health-related data “are more sensitive than other types of data because any data tampering can lead to faulty treatment, with fatal and irreversible losses to patients. Hence, healthcare data need enhanced security, and should be breach-proof.” 
Therefore, it is important for providers of healthcare to be proactive and vigilant about reducing their risk for attacks and to meet their health data breach notification obligations to protect the public. Once you know your data has been disclosed, it is reasonable to take action to avoid concerns that your data will be used to cause you significant financial losses. Compromised data also increases the risk of hacking, phishing, and increased anxiety over future losses and identity theft.
Privacy Laws Protect You
If you have been affected by Covenant Care’s data breach several laws, including the California Confidentiality of Medical Information Act (CMIA), require that every health care provider who maintains medical information do so in a manner that reasonably preserves its confidentiality.
Under the CMIA, if you received a recent Notice of Data Breach from Covenant Care California, you may be entitled to $1,000 and your actual damages resulting from the negligent release of your confidential information.
Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices in place to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.