32,000 Patients’ PHI Potentially Exposed in Elizabethtown Community Hospital Email Breach
Around 32,000 patients of the University of Vermont Health Network’s Elizabethtown Community Hospital have received notices about the potential exposure of some of their protected health information (PHI).
Elizabethtown Community Hospital discovered on October 18, 2018, that an unauthorized individual accessed an employee’s email account. To block access, the password was changed and a leading computer forensic firm was retained to conduct a detailed investigation into the breach. The investigation, which took 60 days, confirmed that only one email account was compromised. Access was gained to that account on October 9, 2018.
The hospital’s information technology systems and healthcare records were unaffected although the analysis of the compromised email account revealed it contained the PHI of around 32,000 patients. The information in the email account included names, addresses, birth dates, primary information such as dates of service, summaries of healthcare services, certain medical information, and medical record numbers. The Social Security numbers of approximately 1,200 persons’ were also compromised.
During the nine days that the email account was accessible patients’ PHI may have been viewed or copied. Nevertheless, no reports of PHI misuse have been reported to Elizabethtown Community Hospital.
Elizabethtown Community Hospital decided to notify 32,000 patients regarding the breach, although it is possible that far fewer patients have been affected. Patients who had their Social Security numbers exposed have been offered free credit monitoring and identity theft protection services. The hospital has since strengthened email system security and employees have been given further HIPAA training for employees on data security.