Aultman Health Foundation Phishing Attack Impacts up to 42,600 Patients

by | May 28, 2018

Aultman Health Foundation, which operates Aultman Hospital in Canton, OH, is alerting around 42,600 patients that some of their protected health information may have been accessed due to a phishing attack.

Unauthorized and unknown people succeeded in obtaining access to several email accounts used by staff members of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician centers.

The unauthorized access was first identified on March 28, 2018 leading to a full investigation to determine the extent of the breach and whether any sensitive information may have been accessed. Third-party information security consultants were engaged to assist with the investigation and found that access to the email accounts happened on several occasions beginning in mid-February and went on until the breach was detected and remediated in late March.

The breach was restricted to email accounts. The system that states electronic medical records was not obtained. Email accounts used by Aultman hospital and certain physician practices included names, addresses, clinical information, medical history numbers and physicians’ names.

People tested by AultWorks Occupational Medicine had a larger range of information exposed including name, address, date of birth, medical history, reports on physical examinations, the results of drug, hearing, and breathing tests, and other lab test results. Certain AultWorks Occupational Medicine patients also had their driver’s license number and/or Social Security number obtained. Social Security numbers were only exposed in instances where employers use Social Security numbers to identify employees/potential staff members.

When the phishing attack was identified Aultman Health Foundation performed a password reset to stop any further unauthorized accessing of email accounts and ensured only secure, complex passwords could be set. Security monitoring has been enhanced to detect any future breaches more quickly and additional security controls have been applied to email accounts to block possible attacks. Staff members have also been given further training to improve resilience to phishing attempts.

Aultman Health Foundation outlined in a security breach FAQ that it was not possible to ascertain whether emails and email attachments including PHI were opened and read by the person(s) behind the attack; however, no reports have been submitted to date to suggest any information in the accounts has been improperly used.

All patients affected by the incident have been warned to check their credit reports and Explanation of Benefits statements in detail for any evidence of fraudulent use of their information and individuals whose driver’s license number or Social Security number were obtained have been offered free credit monitoring services.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy