Rutland Medical Center has announced it has experienced a data breach after an unauthorised individual gained access to the email accounts of several employees.
An employee of Rutland Medical Center noticed the breach after realising that their email account had been used to send large quantities of spam email on December 21, 2018. The employee reported the incident to the healthcare facility’s IT department on December 28. Three days later, investigators determined that an unauthorised individual had gained access to the employee’s email account and was using it for malicious purposes.
IT security staff immediately took action to secure the email account and block the hacker’s access. The medical facility hired a third-party forensic expert to assist with the investigation. Although the investigation into the breach is ongoing, on February 6, the forensics expert made a preliminary statement saying that an unauthorised individual compromised nine employee email accounts between November 2, 2018, and February 6, 2019.
The compromised email accounts included information such as patients’ full names, dates of birth, contact information, patient ID numbers, medical record numbers, financial information, diagnoses, treatment information, Social Security numbers, and health insurance data. The hacker only gained access to employee email accounts; the EMR system and other internal systems were unaffected by the breach.
Per HIPAA’s Breach Notification Rule, the Rutland Regional Medical Center is sending breach notification letters to patients whose PHI may have been accessed in due course.
Rutland Regional Medical Center has stated that it is reviewing its cybersecurity practices to mitigate the risk of a similar breach occurring in the future. The IT department is in the process of creating new safeguards and security measures that will better protect patients’ protected health information and improve email security to help prevent further breaches of this nature.
Rutland Regional Medical Center has reported the incident to the Department for Health and Human Services’ Office for Civil Rights. The breach portal indicates that 72,224 patients have been affected by the breach.
Rutland Regional Medical Center is based in Rutland City and is the second largest community hospital in the state of Vermont.