The University of Vermont Health Network has revealed that a data security incident at the facility has affected approximately 32,000 patients.
The breach was discovered on October 18, 2018. An unauthorised third-party had gained access to an employee’s email account. Staff at the facility responded quickly to the breach, blocking access to the account by changing the login credentials. A third-party forensic security firm was contracted to assist with the aftermath of the breach and launch an investigation into the cause. It was determined that the unauthorised individual only gained access to the one account. The investigation into the breach lasted 60 days.
It is likely that the access was gained through a phishing campaign, although this has yet to be confirmed. Phishing is when a cybercriminal pretends to be a legitimate organisation in order to access sensitive information, such as login credentials or financial information. The hacker often creates a spoof email and sends it to an unsuspecting victim, who is invited to click a hyperlink and input information into a legitimate-looking website. Some phishing attacks contain attachments that have malware embedded in them, which will then steal the login information. The hacker will harvest the information, and use it for nefarious purposes.
Investigators determined that the hospital’s information technology systems were not accessed, and sensitive information stored on the system such as medical records remained secure.
An analysis of the breached email account revealed it contained the protected health information (PHI) of around 32,000 patients. The information affected by the breach included names, addresses, dates of birth, primary information such as medical record numbers, dates of service, summaries of services provided, and limited medical information. Some patients had more information compromised than others. The Social Security numbers of 1,200 patients were exposed during the breach.
Investigators determined that the email account was compromised for a period of nine days. Although there is no evidence that the PHI was copied or viewed by an unauthorised party, it is possible that the hacker may have been able to cover their tracks. As of writing, Elizabethtown Community Hospital has stated that it is unaware of any misuse of patient information.
In accordance with HIPAA’s Breach Notification Rule, Elizabethtown Community Hospital notified the 32,000 patients affected by the breach. The investigation is ongoing, and the breach may be found to have affected fewer patients. The organisation has offered free credit monitoring and identity theft protection services to those whose social security number was exposed, as they are at the greatest risk of identity fraud.
“We are very sorry this has happened,” said John Remillard, president for Elizabethtown Community Hospital. “We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees.”
In a statement, Elizabethtown Community Hospital has claimed that it has taken steps to enhance the security of its email system. Further training has been provided to employees in order to mitigate the risks of a breach of this nature from occurring again and to ensure employees are fully aware of their responsibilities under HIPAA.
Hospitals are increasingly becoming targets of phishing or other cyberattacks. Medical data has a huge black-market value, and a successful phishing attack could prove lucrative. As many hospitals and healthcare facilities face strict budgets, they often don’t have the necessary security or training framework to fend off these attacks. However, as the attacks become more sophisticated, healthcare organisations will have to increase their efforts to ensure that the sensitive data of their patients and employees remains secure.