Vermont-based Adirondack Health is getting in touch with around 25,000 patients that some of their protected health information has potentially been obtained by a cyber criminal.
Information such as patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and limited treatment and/or clinical information. A smaller subset of patients also had their Social Security number accessible.
Adirondack Health is part of Adirondacks Accountable Care Organization (ACO). This is a group which includes a number of different healthcare suppliers. For monitoring reasons and to help improve the quality of services provided to patients, ACO receives and reviews certain patient information.
ACO recently noticed that an unauthorized individual had been able to view the email account of an employee. The breach was initially noticed on March 4, 2019 and the account was immediately made safe. The hacker had been able to view the account for a period of two days.
ACO investigated all email sand attachment in the compromised account to determine whether any PHI had been impacted. There was only one item in the compromised account that included private information: An email discourse regarding patients in the North Country who did not attend a baby health screening appointment.
The discussion related to an ACO population health analysis. Included in the email was a ‘gap-in-care’ spreadsheet that contained PHI. No evidence was uncovered which implied the email was opened, but the possibility could not be thrown out.
Breach notification letters were issued for impacted patients in early July, but it has taken some time to identify some patients’ current addresses. Approximately 25,000 letters have now been sent and only a few are left.
Patients whose Social Security number was accessible have been provided with free credit monitoring and identity theft protection services. All patients have been warned to monitor their financial accounts and explanation of benefits statements and to be alert to the risk of fraudulent use of their details.
A Adirondack Health representative said the email account was accessed remotely by a person located outside the United States. The account breach did not take place due to a phishing attack.
Adirondack Health has since amended its policies and processes in relation to the use of email for communicating files that include PHI.