The Dallas, TX-based physician staffing company EmCare has revealed that it has been impacted by a data breach that has impacted around 60,000 individuals, 31,000 of whom were patients.
The exposed data was detailed in emails and email attachments in employee email accounts that were accessed by an unauthorized person after several employees responded to phishing emails and disclosed their email details. It is unclear from Emcare’s breach notice when the breach took place and how long the hackers had access to email accounts.
The breach was first noticed on February 19, 2019. An investigation was initiated and, assisted by a third-party computer forensics firm, it was seen that the compromised email accounts contained information about patients, employees, and contractors. The following data was held in email accounts and was potentially accessed or copied by the hackers: Names, dates of birth, driver’s license numbers, Social Security numbers, demographic information, and clinical details.
The investigation did not find evidence to suggest patient or employee details were accessed or exfiltrated by the hackers, although the possibility could not be completely ruled out. No reports have been submitted to suggest that patient or employee information has been misused so far.
Emcare is providing one year of free credit monitoring and identity theft protection services for individuals whose Social Security number or driver’s license number was potentially impacted.
Notifications letters were mailed to affected people on April 19, 2019, 59 days after the discovery of the breach – a day prior the HIPAA Breach Notification Rule reporting deadline.
EmCare has addressed the breach by introducing a range of “advanced IT solutions” and employees have been given with further training on email security.
The breach report filed to the Department of Health and Human Services’ Office for Civil Rights stated that 31,236 patients were impacted by the data breach.