Cyber Incident Victim: Confluence Health

On May 29, 2018, Confluence Health discovered that an unauthorized individual potentially accessed an employee’s email account on two occasions: March 30 and May 28 of that year. The Wenatchee-based medical organization initiated an immediate investigation, engaging a third-party forensic firm to assist in determining the scope and nature of the breach. The forensic analysis revealed that the compromised email account contained certain patient information, including names and details related to medical treatments. No financial data was stored in the affected account, and investigators found no evidence suggesting misuse of the exposed information. Confluence Health publicly disclosed the incident on July 27, 2018, through a substitute notification posted on its website and a press statement. The organization acknowledged that despite existing security measures and routine staff training programs, the breach occurred, potentially impacting patient privacy.

Affected patients received notifications advising them to review healthcare statements for discrepancies and report unrecognized services to their providers. Confluence Health emphasized its commitment to addressing the incident seriously, implementing enhanced email security protocols and expanding network monitoring for suspicious activity following the breach. A dedicated phone line (1-877-341-4604) operated during Pacific Time business hours was established for patient inquiries. Debby Andruss, the organization’s HIPAA Privacy Officer, formally communicated regret for any concern or inconvenience caused while underscoring ongoing efforts to prevent future occurrences. The breach timeline spanned from the initial March 30 email compromise through the May 28 recurrence, with containment measures enacted upon discovery the following day.