SRHD News

Notice of Release of Personal Information Due to Unauthorized Breach

Notice of Release of Personal Information Due to Unauthorized Breach

Mar 24, 2022

Media Contact: Kelli Hawkins | khawkins@srhd.org | (509) 324-1539, c (509) 994-8968


SRHD Apologizes and Commits to Corrective Actions



Spokane, Wash. - This past week, Spokane Regional Health District (SRHD) confirmed personal data may have been disclosed after the discovery of an unauthorized breach of personal health information via a phishing email, occurring on February 24, 2022. SRHD Information Technology (IT) staff were alerted to a possible phishing attempt. An internal investigation which concluded this past week, discovered files containing client protected health information may have been “previewed” by the data thief. The investigation did not find any documents had been opened, accessed, or downloaded.

The potential disclosure affects 1,260 individuals from two departments. The first group of individuals, totaling 1,060 people, may have had the following data viewed:
First and last names, initials
Date of birth
Date in emergency department
Source of referral
Provider Hospital name
Diagnosing state
Whether or not patient was located
Date located
Patient risk level
Staging level
How medication is being picked up
Type of test
Test results
Treatment
Medication and reason prescribed
Meets criteria for expedited partner therapy
Delivery date (baby)
Treatment provided (baby)
Titer (diagnostic)
Medical referrals
Client notes
The second group affects 200 people and data viewed includes:
First and last names, initials
Date of birth
Phone number
Shelter location
Test date
Notes

According to Lola Phillips, SRHD Deputy Administrative Officer, SRHD has implemented appropriate corrective actions to mitigate unauthorized disclosure of information in the future by stopping the current breach, ensuring future connections cannot be made, reinforcing current cyber security training with staff that contains the use of multifactor authentication, and performing additional testing on related systems.

“Much like the rest of the state of Washington, SRHD has experienced a record-level spike in phishing emails and malware installation attempts. In this instance, staff fell prey to a phishing scam which exposed confidential information to data thieves,” Phillips said. “We have a strong commitment to safeguard your personal information, and we are working diligently to reduce the likelihood of future events.”

Notification was provided to those whose information was included in the potential disclosure. No Social Security numbers or financial information were noted on any of the documents, however those affected are encouraged to monitor their bank accounts and report any suspicious activity immediately. In addition, the Explanation of Benefits (EOB) from the insurance companies should be monitored for possible ID theft activities.

“We are committed to protecting the information of our clients and sincerely apologize for this incident,” Phillips said.

Additional questions or requests for information can be requested through SRHD’s Privacy Officer:

  • (509) 324-1439 (Toll free: 800-854-9173)
  • jmontiel@srhd.org
  • Mail to: Spokane Regional Health District
    Attn. Privacy Officer
    1101 W. College Ave.
    Spokane, WA 99201