Catawba Valley Medical Center and Byram Healthcare Breaches Impact Over 20,000 Patients

Catawba Valley Medical Center (CVMC) located in Hickory, NC, found out on August 13, 2018 that an unauthorized person had accessed a CVMC employee’s email account. After learning of the email breach, CVMC took action to safeguard the email account and block further access. A third-party computer forensics company was called in to conduct an investigation to determine the severity of the breach and ensure that access had been blocked.

The investigation showed that from July 4 to August 17, 2018, three employees had responded to phishing emails which led to their email accounts being compromised. Some emails in the breached accounts contained the protected health information (PHI) of patients, including names, birth dates, information on medical services obtained from CVMC, medical insurance information, and Social Security numbers. The investigation did not uncover evidence to suggest that any emails were forwarded, viewed, or copied and neither have there been any reports to suggest any PHI has been misused.

CVMC has since hired security professionals to improve employee training and more powerful email security defenses have now been implemented. CVMC will also update hardware and software to further improve security.

CVMC mailed notification letters on October 12, 2018 to all patients whose PHI was exposed as a result of the cyberattacks. The HHS’ Office for Civil Rights’ breach portal contains a summary of the breach which indicates 20,000 patients have potentially been affected.

Byram Healthcare, a medical supplies provider, has also reported a privacy breach. Law enforcement notified Byram Healthcare that one of its former employees has been accused of stealing patients’ credit card information. The investigation confirmed that the former employee had access to names, birth dates, addresses, limited health data, and credit card numbers. No Social Security numbers could be accessed by the former employee. The investigation is ongoing, and at this stage no report has been released to indicate how many patients have potentially been affected.

In response to the security breach, Byram Healthcare has given its employees further training about privacy and security responsibilities and the importance of protecting patients’ PHI. Byram Healthcare will also step up monitoring its employees’ access to PHI. Notification letters were mailed to the affected patients on October 22, 2018.