25,000 Adirondack Health Patients Impacted by Email Account Hack

by | Jul 16, 2019

Adirondack Health is notifying almost 25,000 patients that a portion of their protected health information has potentially been obtained by a cyber criminal from the Vermont-based organization.

The data may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and some small amount of treatment and/or clinical information. A number of subscriber also had their Social Security number accessed.

Adirondack Health is member of Adirondacks Accountable Care Organization (ACO), which includes a number of  different healthcare providers. For reviewing purposes and to help enhance the quality of services given to patients, ACO receives and analyzes certain patient data.

ACO recently noticed an unauthorized individual had gained access to the email account of a staff member. The breach was discovered on March 4, 2019 and the account was immediately locked down. The hacker had access to the account for around two days.

ACO reviewed all emails and attachments in the impacted account to determine whether any PHI had been exposed. There was a single item in the compromised account that included private information: An email discussion about patients in the North Country who failed to attend a baby health screening appointment.

The conversation was linked to an ACO population health analysis. Also included in the email was a ‘gap-in-care’ spreadsheet that included PHI. No proof was found which suggested the email was opened, but the possibility could not be eliminated.

Breach notification letters were transmitted to impacted patients in early July, but it has taken some time to find some patients’ current addresses. Around 25,000 letters have now been shared and only a few are left to post out.

Patients whose Social Security number was accessible have been provided with free credit monitoring and identity theft protection services, if they wish to avail of it. All patients have been informed to review their financial accounts and explanation of benefits statements and to be alert to the danger of fraudulent use of their data.

A representative for Adirondack Health said the email account was logged onto remotely by an individual outside the United States. The account breach was not caused following a phishing attack.

Adirondack Health has since amended its policies and processes in relation regarding to the use of email for communicating files including PHI.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy