Evansville Clinic Sends 4400 Patient Breach Notification Letters After E-mail Hack

St. Mary’s Medical Center has sent 4,400 patient breach notification letters warning of a HIPAA breach in which hackers gained access to several email accounts of hospital employees, according to a statement issued by hospital spokesman, Randy Capehart.

The statement announced that a sophisticated E-mail hack had taken place in January this year in which hackers had gained access to several email accounts of hospital employees. The E-mail accounts that were compromised contained the PHI and personal identifiable information of approximately 4,400 patients.

Under HIPAA regulations, patient breach notification letters must be sent to all affected individuals within 60 days of the discovery of a breach, although covered entities should send notifications as soon as possible. Capehart explained that it took some time to investigate the breach and to determine if any data was accessible, which is why the letters were delayed.

St. Mary’s Medical Center has implemented HIPAA policies governing data security and it routinely monitors its E-mail accounts for signs of unauthorized access. This ensured the security breach could be rapidly identified and the affected E-mail accounts were quickly closed to prevent any further access by the thieves.

The cyber attack involved “fraudulent E-mail communications” but it is not clear whether account names and passwords were obtained via a phishing scan or malware.

The hospital has begun a full forensic investigation which is continuing; however it is now apparent that health information, insurance details, names, dates of birth, gender and some Social Security numbers were accessible via the compromised E-mail accounts.

In the breach notification letters patients are advised of the nature of the breach and the information known so far. They have also been offered credit monitoring services and identity protection for one year without charge, although only if they have had their Social Security numbers exposed. If no Social Security number was present in the E-mail accounts, or was accessible through them, patients are being offered a free credit report from Equifax, Experian and TransUnion.

The incident is reportable to the Office for Civil Rights within 60 days which may choose to investigate if there are any indications of HIPAA violations.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news