In separate incidents, two U.S. health care facilities have publicly disclosed data breaches that resulted from the unauthorized access of an employee’s email.
Yesterday, the University of Vermont Health Network – Elizabethtown Community Hospital (ECH) acknowledged that an unauthorized individual remotely accessed an employee’s email account on Oct. 9. This account contained the personal information of roughly 32,000 patients, in some cases including Social Security numbers, names, dates of birth and addresses.
The breach also exposed limited medical information primarily associated with billing, such as medical record numbers, dates of service and a brief summary of services provided. The account also contained the Social Security numbers of some individuals.
According to the health care provider’s website, ECH is part of a six-hospital network that treats patients in northern New York and Vermont.
“We completed an initial 60-day investigation of the incident and have no evidence of any fraud or identity theft to any individual as a result of this incident,” states ECH’s online public disclosure, adding it changed passwords, enhanced email security, took steps to reinforce staff education, notified impacted patients and hired a forensic security team in response to the incident.
The approximately 1,200 individuals whose Social Security numbers were compromised will be eligible for free credit and identity theft monitoring services, the hospital says.
Meanwhile, the Dallas-Fort Worth location branch of the nationwide CCRM fertility clinic also recently posted a breach notification, as reported by DataBreaches.net.
In this instance, the incident took place on Oct. 4, when an unauthorized party accessed a former nurse’s email account and used it to send spam emails to patients.
Although the clinic has no evidence that patient information was stolen, it is possible the perpetrator may have viewed or accessed data including names, addresses, email addresses, health information, insurance details, medical history and, in limited cases, Social Security numbers and driver’s license numbers.
CCRM said it sent out notification letters to potentially affected patients on Dec. 3, adding that it has “taken steps to prevent a similar event from occurring in the future.”