Aultman Health Foundation is informing around 42,600 patients that their protected health information (PHI) may have been compromised during a recent phishing attack. Unauthorized and anonymous persons gained access to a number of email accounts of employees of Aultman Hospital, its AultWorks Occupational Medicine division, and selected Aultman physician offices.
The suspicious access was initially discovered on March 28, 2018 triggering a full investigation to figure out the extent of the data breach and if any sensitive data was possibly viewed. Third-party information security specialists assisted in the investigation and established that access to the email accounts happened several times beginning in mid-February until Aultman Health Foundation detected the data breach and took action in late March.
Only email accounts were involved in the data breach. The system maintaining electronic medical records was not infiltrated. The affected email accounts utilized by Aultman hospital and a number of physician practices contained patient names, addresses, clinical data, medical record numbers, and doctors’ names.
Persons examined by AultWorks Occupational Medicine had more information disclosed, including patient names, addresses, birth dates, medical history, physical examination reports, the results of drug, hearing, and breathing tests, and several other laboratory test results. The Social Security numbers and/or driver’s license numbers of selected AultWorks Occupational Medicine patients were likewise exposed.
When Aultman Health Foundation discovered the phishing attack, they conducted a password reset to stop any further unauthorized access of email accounts. Only strong, complex passwords were used after the reset. The foundation also improved security monitoring to easily detect future breaches and installed extra security controls on email accounts to block further attacks. Employees underwent further training to enhance resiliance against phishing attacks.
Aultman Health Foundation discussed in a data breach FAQ that they were not able to determine if emails or email attachments with PHI were accessed and read by the person(s) responsible for the attack and no reports have been received to suggest PHI misuse.
All patients affected by the breach were advised to monitor their credit reports and Explanation of Benefits statements. Aultman Health offered free credit monitoring services to individuals whose Social Security number or driver’s license number were compromised.