The United Hospital District based in Blue Earth, MN discovered the exposure of patient information and its potential access by an unauthorized person due to a phishing attack in June 2018.
One email account was compromised because of the phishing incident. The attacker got the credentials of the email account because an employee responded to a phishing email. The healthcare provider posted a substitute breach notice on its website indicating that the account was accessed from June 10, 2018 to June 27, 2018.
Third-party cybersecurity professionals conducted a detailed examination of the compromised account and established on December 12, 2018 that the attacker potentially accessed the patient information. The investigators found the protected health information (PHI) of 2.143 patients in emails and file attachments.
The email account contained types of information that varied from one patient to another. The following may have been included: names, addresses, health insurance details and internal patient identification numbers. For some patients, the diagnoses, treatment data, and/or Social Security numbers were also compromised. Although the attacker may have accessed the data, it was not proven. There is no report received that indicate the misuse of any patient information.
The United Hospital District sent breach notifications by mail to all patients affected and offered those patients whose Social Security number was exposed a free one-year registration to credit monitoring and identity theft restoration services.
As a response to the data breach, the hospital implemented additional email security controls and gave the employees more training on security awareness.