A Seton Family of Hospitals HIPAA breach has been reported. The Protected Health Information (PHI) of approximately 39,000 patients has been obtained by hackers after some of the healthcare provider’s email accounts were compromised on February 26, 2015.
Hackers are understood to have gained access to the email accounts using a phishing campaign in which users’ login details were captured. An unspecified number of accounts were compromised in the incident and the data contained in those email accounts included ePHI. The data potentially exposed included Social Security numbers, medical record numbers and insurance details along with names and demographic information.
Seton launched an investigation into the incident as soon as the illegal access was discovered; however it took some time to establish how many email accounts had been affected and those accounts needed to be checked to determine whether PHI was contained in the emails and which patient records had been compromised.
Seton group of Hospitals confirmed that access to the affected email accounts was rapidly shut down as soon as it was discovered that hackers had breached the hospital’s security defenses. No further threat of PHI exposure is believed to exist; however the healthcare provider confirmed in a statement that it will “continue to implement administrative, technical and physical safeguards against unauthorized access of protected information,” and that Seton Family of Hospitals is “taking all necessary and appropriate steps to prevent a recurrence.”
Breach notifications have now been issued and all affected individuals are being offered assistance with monitoring their credit. It is not clear at this stage whether Seton Family of Hospitals will be paying for credit monitoring services for all individuals affected by the breach.
While this is the first time the healthcare provider has reported a HIPAA breach caused by hackers, it is the second time that Seton has reported a HIPAA breach to the Department of Health and Human Services’ Office for Civil Rights that involved more than 500 individuals. In October 2013, a laptop computer containing the unencrypted ePHI of approximately 5,000 patients was stolen from the Seton McCarthy Clinic.