Valley Hope Association has discovered that an unauthorized individual has gained access to an employee’s email account and has potentially viewed patients’ protected health information.
Valley Hope Association noticed the potential email account breach on October 10, 2018, after detecting strange account activity. The association took immediate action to block third-party access to the account and hired a computer forensics company to investigate the nature and extent of the breach.
According to the investigation, an unauthorized person accessed one email account remotely from October 9 to 10, 2018 and may have viewed emails and email attachments that contained the protected health information of patients. After thoroughly reviewing all email messages and attachments, the forensics company confirmed PHI access was a possibility.
The types of data that the emails contained varied from one patient to another. One or more of the following data elements could have been accessed: Name, date of birth, address, Social Security number, medical record number, medication and prescription details, claims and billing data, medical insurance details, and physician’s name. The emails did not contain any diagnosis or treatment details.
After confirming the exposed information, Valley Hope Association has been collating the current contact details of all affected people and will notify them regarding their exact information that may have been compromised. Although there’s a possibility of data access/theft, no reports have been received to indicate misuse of any patient information.
As a preventative measure against identity theft and fraud, Valley Hope Association offered the patients affected by the breach one year free identity theft monitoring services via Kroll.
Valley Hope Association is assessing its policies and procedures and will take steps to increase the security of data and its systems.
Valley Hope has reported the breach to law enforcement, credit monitoring bureaus, state regulators and the Department of Health and Human Services Office’ for Civil Rights.
The OCR breach portal has yet to publish the details of the breach, so it is presently unknown how many people were affected by the breach.