Episcopal Health Services Issues Second Batch of Breach Notification Letters

Episcopal Health Services has sent a second batch of breach notification letters to patients affected by a 2018 phishing attack. The letters are being sent to individuals who were not initially identified as being affected by the breach. 

Episcopal Health Services, which operates St. John’s Episcopal Hospital in New York, noticed suspicious activity on several employee email accounts in September 2018. An investigation was launched, which revealed that a hacker had successfully harvested these email credentials through a phishing attack. The investigation revealed that the accounts were first compromised on August 28, 2018, and remained unsecured until October 5, 2018.

The investigation into the scope of the breach discovered that patient information had been exposed during the breach. Episcopal Health Services sent breach notification letters to affected patients on November 15.

The exposed information varied from individual to individual and may have included names, dates of birth, financial information, Social Security numbers, medical record numbers, diagnoses, medical histories, prescription information, treatment information, and health insurance information.

After the letters had been sent, the investigators continued to examine compromised email accounts. On February 26, 2019, it was determined that the additional accounts compromised by the hacker also contained PHI. As a result of this continued investigation, on March 19, 2019, the second round of notification letters was sent to patients who were also discovered to have been affected by the breach.

Individuals whose PHI has been exposed have been offered complimentary credit monitoring and identity theft protection services for 12 months. Episcopal Health has also advised all affected patients to monitor their accounts carefully for suspicious activity and contact the relevant authorities should if they notice any signs of fraud.

The breach report submitted to the HHS’ Office for Civil Rights on November 19, 2018, indicates that the phishing attacks impacted 218,055 individuals.