25,000 Adirondack Health Patients Impacted by Email Account Hack

by Ryan Coyne | Jul 16, 2019

Hack Internet Network Keyboard Cyber Security

Adirondack Health is notifying almost 25,000 patients that a portion of their protected health information has potentially been obtained by a cyber criminal from the Vermont-based organization.

The data may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and some small amount of treatment and/or clinical information. A number of subscriber also had their Social Security number accessed.

Adirondack Health is member of Adirondacks Accountable Care Organization (ACO), which includes a number of different healthcare providers. For reviewing purposes and to help enhance the quality of services given to patients, ACO receives and analyzes certain patient data.

ACO recently noticed an unauthorized individual had gained access to the email account of a staff member. The breach was discovered on March 4, 2019 and the account was immediately locked down. The hacker had access to the account for around two days.

ACO reviewed all emails and attachments in the impacted account to determine whether any PHI had been exposed. There was a single item in the compromised account that included private information: An email discussion about patients in the North Country who failed to attend a baby health screening appointment.

The conversation was linked to an ACO population health analysis. Also included in the email was a ‘gap-in-care’ spreadsheet that included PHI. No proof was found which suggested the email was opened, but the possibility could not be eliminated.

Breach notification letters were transmitted to impacted patients in early July, but it has taken some time to find some patients’ current addresses. Around 25,000 letters have now been shared and only a few are left to post out.

Patients whose Social Security number was accessible have been provided with free credit monitoring and identity theft protection services, if they wish to avail of it. All patients have been informed to review their financial accounts and explanation of benefits statements and to be alert to the danger of fraudulent use of their data.

A representative for Adirondack Health said the email account was logged onto remotely by an individual outside the United States. The account breach was not caused following a phishing attack.

Adirondack Health has since amended its policies and processes in relation regarding to the use of email for communicating files including PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter