Saltzer Health based in Nampa, Idaho has begun informing a number of patients regarding the exposure of their protected health information (PHI) due to an email account breach, which was discovered on June 1, 2021.
As per the investigation, an unauthorized person got access to the email account of an employee from May 25, 2021 to June 1, 2021. Saltzer Health could not find any proof that suggests the attacker had seen or exfiltrated email messages from the account, however, it cannot rule out the probability of unauthorized access and theft of PHI.
The investigation affirmed that the breach only affected one email account and that other systems were not impacted. With the help of third-party experts, Saltzer Health performed a detailed analysis of the email account to find out which individuals were impacted.
The analysis was concluded on September 21, 2021, and showed that these types of patient information were held in the email account: Names, contact details, state ID numbers, driver’s license numbers, medical backgrounds, medical record numbers, diagnoses, treatment data, doctor details, prescription details, and medical insurance data, together with some financial account data and Social Security numbers.
As soon as the impacted patients were determined, Saltzer Health carried out a manual assessment of internal records to confirm patients’ contact details, consequently, the issuance of breach notification letters was delayed up to December.
Saltzer Health has given the impacted patients details concerning the steps they could do to protect against identity theft and fraudulence, however, the substitute breach notice did not mention anything concerning any offer of credit monitoring or identity theft protection services.
The healthcare provider submitted the breach report to the Department of Health and Human Services’ Office for Civil Rights, however, it is not yet appearing on the OCR breach website, and so it is presently uncertain how many individuals were affected by the breach.