Indiana-based Beacon Health System is notifying an undisclosed number of patients that their personal information may have been compromised by unauthorized individuals who gained access to employee email accounts.
How many victims? Undisclosed.
What type of personal information? Names, doctor names, internal patient ID numbers, patient statuses, Social Security numbers, dates of birth, driver's license numbers, diagnoses, dates of service, and treatments and other medical record information.
What happened? Unauthorized individuals gained access to Beacon employee email accounts – which contained the personal information – as part of a phishing attack.
What was the response? An investigation is ongoing. Beacon is reviewing policies and procedures and is implementing additional measures to prevent a similar incident from occurring. All potentially impacted individuals are being notified, and offered a free year of identity and credit monitoring and restoration services.
Details: Beacon discovered unauthorized access to employee email accounts on March 25 and, on May 1, was advised that protected health information was contained in the affected email accounts. Certain affected email accounts were accessed beginning November 2013, and the last date of unauthorized access was Jan. 26.
Quote: “While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes,” according to a notification posted to the website.
Source: beaconhealthsystem.org, “Beacon Health Provides Notice of Data Security Event,” May 22, 2015.