Application security, Breach, Threat Management, Data Security

Vermont, Dallas medical facilities suffer email account breaches

In separate incidents, two U.S. health care facilities have publicly disclosed data breaches that resulted from the unauthorized access of an employee's email.

Yesterday, the University of Vermont Health Network – Elizabethtown Community Hospital (ECH) acknowledged that an unauthorized individual remotely accessed an employee's email account on Oct. 9. This account contained the personal information of roughly 32,000 patients, in some cases including Social Security numbers, names, dates of birth and addresses.

The breach also exposed limited medical information primarily associated with billing, such as medical record numbers, dates of service and a brief summary of services provided.  The account also contained the Social Security numbers of some individuals.

According to the health care provider's website, ECH is part of a six-hospital network that treats patients in northern New York and Vermont.

"We completed an initial 60-day investigation of the incident and have no evidence of any fraud or identity theft to any individual as a result of this incident," states ECH's online public disclosure, adding it changed passwords, enhanced email security, took steps to reinforce staff education, notified impacted patients and hired a forensic security team in response to the incident.

The approximately 1,200 individuals whose Social Security numbers were compromised will be eligible for free credit and identity theft monitoring services, the hospital says.

Meanwhile, the Dallas-Fort Worth location branch of the nationwide CCRM fertility clinic also recently posted a breach notification, as reported by DataBreaches.net.

In this instance, the incident took place on Oct. 4, when an unauthorized party accessed a former nurse's email account and used it to send spam emails to patients.

Although the clinic has no evidence that patient information was stolen, it is possible the perpetrator may have viewed or accessed data including names, addresses, email addresses, health information, insurance details, medical history and, in limited cases, Social Security numbers and driver’s license numbers.

CCRM said it sent out notification letters to potentially affected patients on Dec. 3, adding that it has "taken steps to prevent a similar event from occurring in the future."


Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.