St. John’s Episcopal Hospital and Episcopal Health Services in New York have notified past and present patients that some of their protected health information (PHI) has potentially been compromised.
Episcopal Health Services discovered suspicious activity in the email accounts of several employees on September 18, 2018. The breach was immediately investigated with the help of a third-party digital forensics company. The investigation confirmed that several company email accounts had been compromised between August 28, 2018 and October 5, 2018.
A detailed analysis of the breached email accounts was concluded on November 1. The exposed information varied from one patient to another, with the following information potentially compromised: Name, birth date, Social Security number, medical record number, medical history, diagnoses, treatment data, prescription details, financial information, and health insurance data.
Episcopal Health Services stated in its substitute breach notice that it is taking steps to improve data security. Actions taken so far include a forced reset of all employee email account passwords and extra email security controls to stop unauthorized account access.
No evidence was uncovered to suggest data was stolen or misused, but Episcopal Health Services has offered all patients affected by the breach free one year of credit monitoring services. Because of the sensitive nature of the exposed data, Episcopal Health Services urged patients to monitor their account statements for fraudulent transactions.
The number of patients impacted by the breach has not yet been disclosed by Episcopal Health Services.