St. Croix Hospice, provides hospice care across the Midwest, discovered that an unauthorized person accessed an employee’s email account and could have viewed patient data.
The hospice detected the breach on May 10, 2019 upon seeing suspicious email activity in the account. Investigation went underway with the help of a third-party computer forensics company. It was discovered the compromise of a number of employees’ email accounts from April 23, 2019 to May 11, 2019. It was impossible to ascertain if any patient data was accessed or duplicated, however the forensics company affirmed the unauthorized access of the accounts.
The forensics team conducted a comprehensive assessment of the compromised email accounts to determine which patients’ protected health information (PHI) were exposed. The exposure of PHI was confirmed on June 21, 2019. After the completion of the review, St. Croix Hospice is sending patients notifications about the potential compromise of their information such as their name, address, financial data, Social Security number, medical insurance data, medical history, and treatment data. The healthcare provider also offered all affected patients free credit monitoring and identity theft protection services.
St. Croix submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights indicating that the breach impacted 21,407 patients.
Cyberattack on Hunt Regional Healthcare
Hunt Regional Healthcare based in Greenville, TX announced a cyberattack that happened on their company on May 14, 2019. Hackers were able to access its computer network along with certain patients’ protected health information.
The information potentially accessed by the attackers included patient names, phone numbers, birth dates, Social Security numbers, ethnicity, and religious backgrounds. The FBI received a report about the hacking incident and is helping in the investigation.
Hunt Regional Healthcare stated that it did not find any evidence that data was accessed without authorization or stolen. However, it sent notifications to patients as a precaution and offered access to IDExperts credit monitoring and identity theft protection services for free.
The number of patients affected by the breach is unclear at this time.