Confluence Health in Washington State discovered an email breach in May and started an investigation to determine if it was a true breach.

Confluence Health is a not-for-profit health system that operates Central Washington Hospital, Wenatchee Valley Hospital and a dozen satellite clinics in Central and North Central Washington.

Remember that Beazley study we reported on a couple weeks ago?  This is a real-world example of an email breach.  On May 30, Confluence Health discovered that an unauthorized person may have gained access to an employee’s email account. They immediately hired a forensic firm to look into the situation to determine if it was a true breach, aka one that they would have to report and notify patients concerning.

Through the investigation, Confluence Health was able to determine that there may have been protected health information (PHI) in the account, but thankfully there was no financial information.

Additionally, in their notice to patients, they stated that they don’t believe any information possibly contained in the email account was misused.  However, Confluence Health decided to notify patients and to assure patients that they are taking the matter very seriously.  Confluence Health is also asking patients to review their statements and report any suspicious services immediately to Confluence Health.

Confluence Health stated that they have now taken additional measures to try to prevent such a situation from happening again, despite having many security measures in place already.

Finally, Confluence Health provided a phone number that patients can use to ask questions about the situation and learn what they need to do.

This is just one of many email breaches that have occurred. In the past month, phishing incidents have been reported by Texas UMC Health System, The Alive Hospice in Tennessee, Billings Clinic in Montana, Sunspire Health in New Jersey, and UPMC Cole in Pennsylvania.

Then there was the UnityPoint phishing attack that affected 1.4 million patients.  This email impersonation attack fooled several employees into disclosing login credentials (spear phishing).


Teach your employees how to protect their email accounts.  HIPAAgps offers great videos to help train your employees on important security measures.