Monroe County Hospital & Clinics (MCHC) announced last week that it has notified approximately 7,500 individuals as the result of a recent cyberattack that may have resulted in unauthorized access to patients’ protected health information.
According to MCHC, on Dec. 19, 2019, the organization discovered a cybersecurity incident that compromised its business e-mail system. MCHC immediately began an investigation and hired an outside forensic computer expert to determine the size and scope of the attack.
The investigation found that one or more unauthorized individuals from outside of MCHC had access to several employees’ e-mail accounts between Oct. 28, 2019 and Jan. 20, 2020. The attack did not impact MCHC’s electronic medical record or billing systems. The only unauthorized access to patient information may have occurred through the compromised e-mail accounts where the information was in the body of an e-mail or in an attachment.
MCHC engaged computer forensic investigators to manually review the contents of the compromised e-mail accounts to determine if any accounts contain personal health information. The investigation indicates that patients’ personal health information was contained in one or more of the compromised e-mail accounts. Information that may have been accessed includes full name, demographic information (such as address and date of birth), date of service, medical record number, insurance status or payor type, and clinical information (such as a diagnosis code, reason for visit, and other treatment-related information). For some individuals, the information also included Social Security number.
After learning of the attack, MCHC took a number of steps to prevent similar incidents from occurring in the future. This included requiring all MCHC employees to reset their e-mail account passwords and conducting additional training regarding e-mail cyberattacks. MCHC is also working to deploy additional technologies designed to prevent similar attacks.
MCHC sent letters to impacted individuals for whom MCHC has valid addresses by U.S. mail. The letters contain important information about steps individuals can take to help prevent medical identity theft or fraud. MCHC continues to work with the computer forensic investigators to manually review additional compromised accounts. If MCHC determines that an individual’s Social Security number, driver’s license number, or financial account information was included in one of the e-mail accounts that is under review, MCHC will send a follow-up notification in writing.
MCHC has arranged for a one-year enrollment in an online credit monitoring service provided by Equifax, one of the three nationwide credit reporting companies. Instructions on how to enroll in this free service are included in the letters sent to affected individuals.
Individuals who have questions or concerns about this incident can call a confidential, toll-free hotline that is staffed with professionals familiar with this incident who can assist with questions and the steps impacted individuals can take to protect against identity theft and fraud. The hotline is available at 1-866-977-0798, Monday through Friday, from 8 a.m. – 8 p.m. CST.