Pawnee County Memorial Hospital in Pawnee City, Nebraska, is contacting 7,038 clients that some of their protected health information has possibly been accessed by a cyber criminal.
On November 29, 2018, the hospital were advised that malware had been downloaded which allowed an unauthorized person to obtain access to its email system.
Malware was placed into the hospital’s email system when a staff member opened a malicious email attachment. According to Pawnee County Memorial Hospital’s substitute breach notice, the email seemed to have been sent from a trusted source and the email attachment seemed authentic.
With the help of a third-party computer forensics expert, the hospital determined that the email attachment had been clicked on during November 16, 2018. The cyber criminal was able to access employees’ email accounts from November 16 to November 24.
The compromised email accounts included a range of business reports, clinical reports, clinical summaries, and other internal files. Those documents included patients’ full names along with one or more of the following data pieces of data: Date of birth, address, diagnosis, lab test results, medical record number, insurance information, state ID number, driver’s license number and, for a limited number of patients, Social Security number.
While there was potential for PHI to take place, it is unclear whether the hacker viewed or stole any patient information. The hospital believes the attack was financially motivated and was not carried out with the aim of stealing patient information.
Reacting to the breach, the hospital reset all passwords on staff email accounts and additional technology safeguards are being put in place to enhance email security.
The hospital has issued breach notification letters to all patients whose PHI was impacted and has offered free enrollment in the MyTrueIdentity online credit monitoring service for one year.