An unauthorized person accessed the email account of one employee at Elizabethtown Community Hospital, putting patient information at risk.
Executives at the facility, which is part of the University of Vermont Health Network, said the email access was first gained on October 9, but the organization did not know of the intrusion until 10 days later.
Now, 32,000 individuals are being notified that their protected health information may have been accessed. Of those, about 1,200 of those individuals may have had their Social Security numbers accessed—they were offered credit and identity theft protection from Experian for one year, except for residents of Connecticut, which has a law requiring two years of identity protection.
Other affected individuals who did not have Social Security numbers put at risk were given information on how to protect themselves against fraud or identity theft.
With email accounts an easy way to access healthcare organization’s networks, delayed knowledge that an attack occurred has become common; eventually, most affected providers are informed by police or the FBI that in the course of investigating breaches they find other related ones from the same perpetrator.
Upon learning of a breach, organizations typically change passwords, implement enhanced security features, engage a data forensic security firm, enhance security of the email system, and reeducate the workforce on how to recognize hackers posing as known and trusted individuals.
“We are very sorry this has happened,” said a notification letter to affected patients from Elizabethtown Community Hospital. “We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees. To help prevent something like this from happening in the future, we have taken organization-wide steps to enhance the security of our email system and are reinforcing education with our staff to assure protection of patients’ information.”