The Saint Francis Ministries health system reported that an unauthorized individual accessed the email account of one of its employees resulting in a potential compromise of patient information.
The health system discovered the breach on December 19, 2019 upon noticing the suspicious activity in the email account of an employee. A third-party computer forensics company investigated the breach and confirmed on February 12, 2020 that there was unauthorized access to the account between December 13, 2020 and December 20, 2019. It cannot be determined if the attacker had accessed emails including patient information or downloaded any email messages, however, there were no reports received that suggest the misuse of any patient information.
A review of the affected accounts was done on March 24, 2020 which confirmed the potential compromise of the following information: name, date of birth, driver’s license number, Social Security number, state ID number, bank/financial account number, credit or debit card number, username and password, diagnosis, treatment information, prescription data, provider name, Medicare/Medicaid number, medical record number, health insurance data, and treatment cost details.
On April 12, Saint Francis Ministries started sending notification letters to affected people. The health system also offered the affected patients complimentary credit monitoring and identity theft protection services and took steps to improve email security so that similar breaches will be avoided in the future.
Phishing Attack on Hartford Healthcare
Healthcare network Hartford Healthcare established in Connecticut and Rhode Island experienced a phishing attack and reported it on April 13, 2020. The healthcare network discovered the attack on February 13, 2020 upon noticing unusual activity in the email accounts of two employees.
With the help of a third-party computer forensics company, Hartford Healthcare confirmed that the hackers accessed the email accounts from February 13 to February 14, 2020.
There was protected health information (PHI) contained in at least one of the email accounts. The PHI of a number of patients included names, health insurance details, medical record numbers, and other health-related information. The email accounts also contained the Social Security numbers of 23 patients.
Hartford Healthcare stated that the attack affected 2,651 patients and breach notifications are being sent now. There were 23 individuals who received offers of two-year complimentary credit monitoring and identity theft protection services because of the potential compromise of their Social Security numbers.