Potential PHI Exposure Due to Rutland Regional Medical Center Email Accounts Hacking


Rutland Regional Medical Center (RRMC) located in Rutland City is the biggest community hospital in the Vermont state. It was discovered that hackers accessed nine employees’ email accounts and possibly viewed or acquired the protected health information (PHI) of patients.

On December 21, 2018, an employee of RRMC discovered that a lot of spam emails were sent from their email account. Then, on December 28, 2018, RRMC’s IT department received a potential security breach report. On December 31, the IT department stated that an unauthorized person remotely accessed the employee’s email account.

The IT department immediately secured the account. A third-party forensic specialist conducted an investigation of the data breach. Although the investigation is not yet finished, the forensics specialist confirmed on February 6, 2019 the compromise of nine email accounts from November 2, 2018 to February 6, 2019.

The compromised email accounts may have included the following PHI: the patients’ full names, birth dates, contact details, medical record numbers, patient ID numbers, financial details, diagnoses, treatment data, Social Security numbers, and medical insurance details. The breach only affected the email accounts, which means that the EMR system and other internal systems were secured.

Rutland Regional Medical Center patients whose PHI were potentially compromised will receive notification letters in due time. More safeguards and security precautions will be enforced to give additional security to patients’ PHI and enhance email security to avert similar breaches.

The Department for Health and Human Services’ Office for Civil Rights has not yet published the incident on its breach portal, thus the number of affected patients is still unclear as of this time.