CONTACT Olga Dack, Office of Communications, (402) 471-9356, firstname.lastname@example.org
Lincoln – The Nebraska Department of Health and Human Services (DHHS) today reported that the U.S. Department of Health and Human Services Office for Civil Rights, has been notified of an incident involving a breach of protected health information which occurred within Aging Partners, a department of the City of Lincoln. On May 25, 2021, the City's Information Services Department discovered that between May 18, 2021 and May 21, 2021, as a result of a “phishing" scam, an unauthorized individual had access to email accounts which contained over 46,000 total emails, some of which contained protected health information.
When Aging Partners learned about the incident, the City immediately disconnected access to the at-risk emails and new passcodes were established. City staff performed an investigation and determined that some HIPAA-protected information was vulnerable.
The City then contracted with a third-party forensic company to determine the extent of the breach. In taking the strongest precaution regarding the security of the information, Aging Partners has reviewed over 46,000 individual emails to identify all possible HIPAA-related information that could have been accessed or disclosed. It was determined that emails involving 1,513 program participants contained one or more identifiers of protected health information. These identifiers included one or more types of personal information, such as name, address, date of birth, phone number, social security number, date of service, type and amount of service, or other health information (i.e., medical conditions, level of care assessments, or medication lists). Majority of emails contained names of program participants only.
A small number of emails in the information breach contained bank account or other financial information. These individuals will have the opportunity to take advantage of professional credit monitoring paid for by Aging Partners.
All program participants, whose protected health information may have been at risk for access or disclosure, will receive information from Aging Partners by First Class Mail. Affected consumers should call one of the toll-free numbers for the three major credit bureaus to obtain a free annual credit report in order to monitor any suspicious activity. Participants should also consider placing a fraud alert on their credit report to prevent improper use of information. The monitoring bureaus are: Equifax, (800) 685-1111 or at www.equifax.com/personal/credit-report-services; Experian, (888) 397-3742 or Experian.com/help; and TransUnion (888) 909-8872 or https://www.transunion.com/fraud-alerts.
Randall Jones, Director of Aging Partners, stresses that privacy of information provided to Aging Partners by DHHS is of top priority to their organization and that they are continually striving to improve their processes, including personal information security and steadfast compliance with the HIPAA regulations. Besides immediately eliminating access, additional steps taken by Aging Partners to mitigate this breach include providing further education on cyber security for Aging Partners' staff and implementation of additional safeguards to prevent future breaches.
DHHS will continue to monitor the implementation of Aging Partners' additional safeguards in order to ensure that their plan to mitigate the breach meets all requirements for protection of Nebraskans' privacy.
Per federal regulation 45 CFR 164.406, Nebraska DHHS is required to notify the public of a breach by one of its contractors of unsecured protected health information involving more than 500 residents of the State. Additionally, per contractual obligations with DHHS, the City of Lincoln is required to notify all individuals affected by the breach and the Office of Civil Rights.
Aging Partners clients are welcome to contact Randall Jones, Director of Aging Partners at (833) 952-0001 or email@example.com; for further information, contact the Nebraska Department of Health and Human Services, HIPAA Office at dhhs.HIPAAoffice@nebraska.gov.