About 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital received notifications that some of their protected health information (PHI) were compromised due to an email account breach.
On October 18, 2018, Elizabethtown Community Hospital found out that an unauthorized person accessed the email account of an employee. Immediately, the password for the accessed email account was changed. A top rated forensic security company conducted an investigation of the incident. After 60 days of investigation, the company confirmed the compromise of just one email account on October 9, 2018.
The security of the information technology systems and medical records of the hospital remained in effect all of the time. An examination of the breached email account showed that it included the PHI of about 32,000 patients. Different patients had different types of information exposed but could have included names, birth dates, addresses, primary data like dates of service, medical record numbers, summaries of services given, and some medical data. About 1,200 persons’ Social Security numbers were likewise exposed.
While the account was accessible for nine days, the PHI of patients was possibly viewed or duplicated, but there was no information of data theft identified. Elizabethtown Community Hospital did not know of any patient information misuse.
Elizabethtown Community Hospital made a decision to inform 32,000 patients about the breach. The investigation is still continuing, and fewer patients may have been affected by the breach. All patients whose Social Security numbers were compromised received offers of free credit monitoring and identity theft protection services.
Elizabethtown Community Hospital improved its email system security and provided more training to employees with regards to protecting patient data.