The breach was restricted to a single staff email account and no proof was found to indicate any emails have been accessed or downloaded by the hacker. A thorough investigation was carried out with the help of a third-party cybersecurity agency. The investigation finished on September 25.
The investigation incorporated a manual review of all emails in the hacked account to identify patients impacted and the range of information that may have been impacted.
Southwest Washington Regional Surgery Center revealed in its breach notice that the beach was restricted to these PHI elements: Names, driver’s license details, Social Security numbers, medical records and for a restricted number of patients, credit card numbers.
The investigation showed that the email account was compromised on May 27, 2018 and access remained open until August 13, 2018.
Patients impacted by the breach were issued breach notification letters on November 6, 2018 and have been offered free credit monitoring and identity theft restoration services for one year. Information has also been made available on the measures that should employed to lessen the danger of identity theft and fraud.
The breach has led to Southwest Washington Regional Surgery Center to improve its email access procedures to stop further successful phishing attacks, passwords were reset, and its password policy refreshed.