Adirondack Health is notifying almost 25,000 patients that a portion of their protected health information has potentially been obtained by a cyber criminal from the Vermont-based organization.
The data may have included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and some small amount of treatment and/or clinical information. A number of subscriber also had their Social Security number accessed.
Adirondack Health is member of Adirondacks Accountable Care Organization (ACO), which includes a number of different healthcare providers. For reviewing purposes and to help enhance the quality of services given to patients, ACO receives and analyzes certain patient data.
ACO recently noticed an unauthorized individual had gained access to the email account of a staff member. The breach was discovered on March 4, 2019 and the account was immediately locked down. The hacker had access to the account for around two days.
ACO reviewed all emails and attachments in the impacted account to determine whether any PHI had been exposed. There was a single item in the compromised account that included private information: An email discussion about patients in the North Country who failed to attend a baby health screening appointment.
The conversation was linked to an ACO population health analysis. Also included in the email was a ‘gap-in-care’ spreadsheet that included PHI. No proof was found which suggested the email was opened, but the possibility could not be eliminated.
Breach notification letters were transmitted to impacted patients in early July, but it has taken some time to find some patients’ current addresses. Around 25,000 letters have now been shared and only a few are left to post out.
Patients whose Social Security number was accessible have been provided with free credit monitoring and identity theft protection services, if they wish to avail of it. All patients have been informed to review their financial accounts and explanation of benefits statements and to be alert to the danger of fraudulent use of their data.
A representative for Adirondack Health said the email account was logged onto remotely by an individual outside the United States. The account breach was not caused following a phishing attack.
Adirondack Health has since amended its policies and processes in relation regarding to the use of email for communicating files including PHI.