Adirondack Health has revealed that a cyberattack on their facility may have compromised the protected health information (PHI) of 25,000 individuals.
Adirondack Health, based in Vermont, is a member of the Adirondacks Accountable Care Organization (ACO). ACO receives and analyzes patient data to help enhance the quality of services given to patients. Due to the significant black-market value of healthcare information, Adirondack Health became the target for hackers.
ACO detected suspicious activity on a staff email account and quickly discovered that an unauthorized individual had gained account. The breach was discovered on March 4, 2019, and IT staff immediately took action to revoke the unauthorized access. A later investigation determined that the hacker had access to the account for around two days.
ACO reviewed all emails and attachments in the compromised account to determine whether any PHI had been exposed. There was a single item in the compromised account that included private information: An email discussion about patients in the North Country who failed to attend a baby health screening appointment.
This email also had attached a ‘gap-in-care’ spreadsheet that included PHI. The data included in the spreadsheet included patients’ names, dates of birth, Medicare ID numbers or health insurance member numbers, and some small amount of treatment or clinical information. Several subscribers also had their Social Security number accessed.
Although investigators have yet to uncover evidence to suggest that the unauthorized individual used this data for malicious purposes, or even accessed the email containing PHI, the possibility could not be eliminated.
Following HIPAA’s Breach Notification Rule, notification letters were sent to impacted patients in early July. ACO has stated that it has taken some time to find some patients’ current addresses. Around 25,000 letters have now been sent. Only a small number of patients have yet to be contacted.
Patients whose Social Security number was accessible have been provided with free credit monitoring and identity theft protection services. All patients have been informed to review their financial accounts and explanation of benefits statements and to be alert to the danger of fraudulent use of their data.
A representative for Adirondack Health said the email account was logged onto remotely by an individual outside the United States. The cause of the breach is currently unknown, but Adirondack Health has claimed that it was not the result of a phishing attack.
Adirondack Health has since amended its policies and processes in relation regarding the use of email for communicating files including PHI.