Valley Hope Association has revealed that a hacker has been able to log onto the email account of a member of staff.
The organisation discovered that an account breach may have taken place, on October 10 2018, when unusual account activity was noticed. Swift action was taken to stop account access continuing and a third-party computer forensics firm was retained to determine the nature and scope of the data breach.
The investigation showed that on November 23, 2018, that an unauthorized individual had logged onto a single email account between October 9-10, 2018, and may have viewed emails and attachments containing patients’ protected health information. After a complete review of all emails and email attachments, the forensics firm stated that certain patients’ PHI may have been viewed.
The range of information included in the emails varied from patient to patient and may have included one or more of the following pieces of data: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical number, health insurance data, and physician’s contact details. No diagnosis or treatment information was included in the emails.
After the confirmation of exposed data, Valley Hope Association has been trying to locate current contact information for all affected individuals and each will be alerted and told about the exact information that may have been compromised. While data access/theft could have occurred , no reports have been received to suggest any patient information has been improperly used.
As a precautionary measure against identity theft and fraud, patients affected by the breach have been given the chance to avail of one year of free identity theft monitoring services through Kroll.
Valley Hope Association has been looking over its security policies and procedures to further safeguard the security and confidentiality of information on its systems and extra safeguards will be put in place as necessary.
Law enforcement agencies have been made aware of the data breach along with state regulators, credit monitoring bureaus and the Department of Health and Human Services Office’ for Civil Rights. The official breach report on the OCR website states that the incident has impacted 70,799 people.