What question did this study set out to answer?

To examine the implications of a phishing attack resulting in a personal health information breach at a treatment center.

March 10, 2026

HIPAA, not 42 CFR, used in personal health information violations

Key Points

To examine the implications of a phishing attack resulting in a personal health information breach at a treatment center.
Analysis of the phishing attack incident at Top of the World Ranch Treatment Center
Investigation by the Office for Civil Rights
Review of the treatment center's compliance with HIPAA Security Rule
1,980 patients' personal health information was compromised
Treatment center failed to conduct a thorough risk analysis
Investigation confirmed violations of HIPAA security requirements

Abstract

Top of the World Ranch Treatment Center, a 24‐bed facility in Milan, Illinois, experienced a successful phishing attack in 2023; in which a third part accessed personal health information through an employee's email account. The treatment center reported the breach to the federal Department of Health and Human Services, noting the Office for Civil Rights (OCR) that as a result, personal health information of 1,980 patients was compromised. OCR investigated and found that the treatment center failed to conduct a thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of personal health information held by the center. The HIPAA Security Rule of 1996 requires this.

Bookmark

Cite This Study

Alison Knopf (Mon,) studied this question.

synapsesocial.com/papers/69af963170916d39fea4e2ac https://doi.org/https://doi.org/10.1002/adaw.34827

Bookmark