Email Account Hack on Adirondack Health Impacts PHI of 25,000 Patients

Adirondack Health Vermont notified about 25,000 patients regarding the potential exposure of their protected health information (PHI) due to hacking.

The potentially compromised information include the patients’ names, birth dates, healthcare insurance member numbers or Medicare ID numbers, and certain treatment data and/or clinical findings. Some patients’ Social Security number may likewise had been compromised.

Adirondack Health is owned by the Adirondacks Accountable Care Organization (ACO), together with other healthcare companies. To monitor and help boost the quality of patient care, ACO obtains and examines certain patient information.

ACO lately confirmed the access of the email account of an employee by an unauthorized person. The company discovered the breach on March 4, 2019 and promptly secured the employee’s email account. Nonetheless, the hacker accessed the account for two days.

ACO analyzed all the emails and attachments in the employee’s account to learn if there’s PHI exposed. Private information was found only in one email conversation, which concern a patient based in the North Country who was unable to come to a scheduled baby health screening.

The conversation was related to an ACO population health research. There’s an attached ‘gap-in-care’ spreadsheet containing PHI in the email. There was no confirmed information that the hacker accessed the email, but the possibility can’t be ruled out.

In early July, Adirondack Health mailed breach notification letters to the affected patients. Though it took more time for some patients’ current address to be verified, around 25,000 notification letters had been dispatched already. A few more letters still need to be mailed.

The provider provided credit monitoring and identity theft protection services for free to patients whose Social Security numbers were exposed. All patients received instructions to watch their explanation of benefits and monetary account statements for possible data fraud.

An Adirondack Health representative stated that an individual outside America had remote access to the email account and that phishing attack was not the reason for the breach.

From the time the breach happened, the Adirondack Health policies and procedures for communicating email with PHI had been revised.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at