Adirondack Health in Vermont is informing roughly 25,000 patients about the potential access of some of their protected health information (PHI) by a hacker.
The information that were potentially compromised include the names of patients, birth dates, Medicare ID numbers or medical insurance member numbers, and some information on treatment and/or clinical results. The Social Security number of some patients may also had been exposed.
Adirondack Health belongs to the Adirondacks Accountable Care Organization (ACO), along with other healthcare providers. To monitor and to help raise the quality of patient services, ACO obtains and examines some patient data.
ACO recently found out that an unauthorized person was able to access an employee’s email account. On March 4, 2019 when the breach was discovered, the employee’s email account was promptly secured. However, the account was accessible to the hacker for two days.
ACO reviewed all the email messages and attachments in the affected account to find out if any PHI was exposed. Only one email discussion was found to contain private information in the compromised account. It talked about patients located in the North Country who failed to come for a baby health screening schedule.
The discussion was associated to an ACO population health study. The email had an attached ‘gap-in-care’ spreadsheet which contained PHI. There was no information whether the hacker opened the email, but there is a possibility that happened.
Adirondack Health sent breach notification letters in early July to the affected patients. Some patients’ present address took more time to verify, but about 25,000 letters were already sent. Only a few need to be sent.
The provider offered free credit monitoring and identity theft protection services to patients who had their Social Security numbers exposed. All patients received an advisory to keep an eye on their explanation of benefits and financial account statements for potential risk of data fraud.
An Adirondack Health spokesperson said that a person outside the United States remotely accessed the email account. Also, the account breach was not caused by a phishing attack.
Since the breach, Adirondack Health has revised its policies and procedures for communication using email with files that contain PHI.