Pawnee County Memorial Hospital located in Pawnee City, Nebraska, is notifying 7,038 patients that a hacker potentially accessed some of their protected health information (PHI). The hospital detected malware on November 29, 2018, which allowed the unauthorized person to access its email system.
The malware was installed in the hospital’s email system when an employee opened a malicious email attachment. Pawnee County Memorial Hospital published a substitute breach notice which stated that the email seemed to have come from a trustworthy source and that the attached file looked genuine.
A third-party computer forensics specialist assisted the hospital in investigating the incident. It was confirmed that the employee opened the email attachment on November 16, 2018 and that the malware allowed access to the email system until November 24.
The compromised email accounts contained a variety of clinical reports, clinical summaries, business reports and other internal files. Some documents contained patients’ full names as well as birth date, address, diagnosis, laboratory test data, medical record number, insurance details, driver’s license number, state ID number and Social Security number.
Although it was possible that PHI was accessed, it is uncertain if the hacker viewed or acquired any patient data. The hospital believes that the attack was financially motivated and was not conducted with the intention of stealing patient data.
Upon discovery of the breach, the hospital reset all email account passwords of employees and implemented further safety measures to boost email security. The hospital has already sent breach notification letters to affected patients and has offered them free registration for online credit monitoring services for one year.