It was discovered on on May 1 that up to four employee email accounts containing patients’ protected health information (PHI) have been infiltrated at Akron, Ohio-based Summa Health after an an unauthorized person obtained access.
Summa Health noticed the breach and launched an investigation that found two email accounts were infiltrated during August 2018, and a further two accounts between March 11, 2019 and March 29, 2019.
All four accounts were swiftly secured and a third-party computer forensics firm was contracted to determine whether any patient data had been accessed or stolen. The firm found no proof of data theft or PHI access, although they could not eliminate the possibility that patient information was exposed in the breach.
A review of the impacted accounts revealed they included the following types of PHI: Patient names, dates of birth, medical record numbers, patient account numbers, clinical information, and treatment data.
Overall, 10,893 patients were impacted. A small subset of those patients also had their Social Security numbers and/or driver’s license information accessible.
On June 28, 2019, Summa Health ssent in two different breach reports to OCR for the August and March attacks, one affecting 7989 people and the other affecting 2,904 people.
Free-of-charge credit monitoring and identity protection services have been made available to patients whose Social Security number or driver’s license number was accessible.
Summa Health will be conducting more employee training on privacy and security and additional security measures will be implemented to bolster email security.
Email Breach at Addison County Home Health & Hospice
758 Addison County Home Health & Hospice clients located in Vermont have been contacted to make them aware that some of their PHI has been exposed as a result of a recent email security breach.
The breach was first noticed on April 26, 2019 and the investigation show that impermissible access to the account took place on February 19, 2019.
A investigation into the emails in the account revealed they incorporated names, clinical information, and for certain patients, medical record numbers and Social Security details.
A free one-year membership to credit monitoring and identity security services has been offered to individuals whose Social Security number was accessible.
The hospice will be bolstering its technical security controls and additional training will be given to staff members to help them notice phishing emails.