32,000 Patients’ PHI Potentially Exposed in Elizabethtown Community Hospital Email Breach

Around 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital have received notices about the potential exposure of some of their protected health information (PHI).

Elizabethtown Community Hospital discovered on October 18, 2018, that an unauthorized individual accessed an employee’s email account. To block access, the password was changed and a leading computer forensic firm was retained to conduct a detailed investigation into the breach. The investigation, which took 60 days, confirmed that only one email account was compromised. Access was gained to that account on October 9, 2018.

The hospital’s information technology systems and healthcare records were unaffected although the analysis of the compromised email account revealed it contained the PHI of around 32,000 patients. The information in the email account included names, addresses, birth dates, primary information such as dates of service, summaries of healthcare services, certain medical information, and medical record numbers. The Social Security numbers of approximately 1,200 persons’ were also compromised.

During the nine days that the email account was accessible patients’ PHI may have been viewed or copied. Nevertheless, no reports of PHI misuse have been reported to Elizabethtown Community Hospital.

Elizabethtown Community Hospital decided to notify 32,000 patients regarding the breach, although it is possible that far fewer patients have been affected. Patients who had their Social Security numbers exposed have been offered free credit monitoring and identity theft protection services. The hospital has since strengthened email system security and employees have been given further HIPAA training for employees on data security.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/