Aultman Health Foundation, which operates Aultman Hospital in Canton, OH, is alerting around 42,600 patients that some of their protected health information may have been accessed due to a phishing attack.
Unauthorized and unknown people succeeded in obtaining access to several email accounts used by staff members of Aultman Hospital, its AultWorks Occupational Medicine division, and certain Aultman physician centers.
The unauthorized access was first identified on March 28, 2018 leading to a full investigation to determine the extent of the breach and whether any sensitive information may have been accessed. Third-party information security consultants were engaged to assist with the investigation and found that access to the email accounts happened on several occasions beginning in mid-February and went on until the breach was detected and remediated in late March.
The breach was restricted to email accounts. The system that states electronic medical records was not obtained. Email accounts used by Aultman hospital and certain physician practices included names, addresses, clinical information, medical history numbers and physicians’ names.
People tested by AultWorks Occupational Medicine had a larger range of information exposed including name, address, date of birth, medical history, reports on physical examinations, the results of drug, hearing, and breathing tests, and other lab test results. Certain AultWorks Occupational Medicine patients also had their driver’s license number and/or Social Security number obtained. Social Security numbers were only exposed in instances where employers use Social Security numbers to identify employees/potential staff members.
When the phishing attack was identified Aultman Health Foundation performed a password reset to stop any further unauthorized accessing of email accounts and ensured only secure, complex passwords could be set. Security monitoring has been enhanced to detect any future breaches more quickly and additional security controls have been applied to email accounts to block possible attacks. Staff members have also been given further training to improve resilience to phishing attempts.
Aultman Health Foundation outlined in a security breach FAQ that it was not possible to ascertain whether emails and email attachments including PHI were opened and read by the person(s) behind the attack; however, no reports have been submitted to date to suggest any information in the accounts has been improperly used.
All patients affected by the incident have been warned to check their credit reports and Explanation of Benefits statements in detail for any evidence of fraudulent use of their information and individuals whose driver’s license number or Social Security number were obtained have been offered free credit monitoring services.