Over 20,000 Patients’ PHI Potentially Exposed in Catawba Valley Medical Center and Byram Healthcare Breaches


Catawba Valley Medical Center (CVMC) based in Hickory, NC discovered on August 13, 2018 the access of an unauthorized person to the email account of a CVMC employee. After knowing about the email breach, CVMC took steps to secure the email account and prevent continuing access. A third-party computer forensics firm helped investigate the email breach and know its scope.

The investigation results revealed that on July 4 until August 17, 2018, three CVMC personnel responded to phishing email messages which brought about the compromise of their accounts. A number of emails in the compromised email accounts kept the protected health information (PHI) of patients. The information included the patients’ names, birth dates, medical insurance info, details of medical services received from CVMC and Social Security numbers for several patients.

CVMC did not receive any investigation report that suggest anyone viewed or copied emails from the accounts. There was likewise no report concerning the improper use of any patient health data. As a result of the phishing attack, CVMC selected security experts to enhance the employee’s training and use more potent email security defenses. CVMC is also updating computer hardware and software programs as necessary to ward off malicious threats.

On October 12, 2018, CVMC sent notification letters via mail to all patients affected by the email account breaches. The HHS’ Office for Civil Rights’ breach portal posted information regarding this breach indicating that about 20,000 patients were potentially affected by the data breaches.

Law enforcement told Byram Healthcare, which provides medical supplies, that one former employee was charged with theft of the patients’ credit card details.

Byram Healthcare called in investigators to inspect the incident and affirmed that the employee viewed the private data of patients which include names, dates of birth, addresses, credit card numbers and limited medical data. No Social Security numbers were exposed. There’s no exact number of patients impacted by the breach reported.

In response to the incident, Byram Healthcare made available additional employee training regarding privacy and security responsibilities and protection of patients’ PHI. Employees are going to be managed more closely. Breach notification letters were sent by mail to the affected patients concerning the violation of privacy and potential theft of PHI on October 22, 2018.