Florida-based Sacred Heart Health System is notifying roughly 14,000 patients that the employee of a third party billing vendor had their username and password compromised, and the email account contained personal information.
How many victims? Roughly 14,000.
What type of personal information? Names, dates of service, dates of birth, diagnoses and procedures, billing account numbers, total charges, and physician names. For about 40 individuals, Social Security numbers were also compromised.
What happened? Sacred Heart Health System was notified by a third party billing vendor that one of its employees had their username and password compromised in an “e-mail hacking attack,” and that the email account contained the personal information.
What was the response? The affected email account was shut down as soon as the incident was detected. Upon notice of the incident, Sacred Heart Health System immediately engaged computer forensics experts and launched an investigation in cooperation with the third party billing vendor. Sacred Heart Health System is working with its email service provider to evaluate ways to improve security, and will also provide education to employees. All impacted individuals are being notified, and offered free identity monitoring and protection services.
Details: On Feb. 2, the third party billing vendor notified Sacred Heart Health System that a “hacking attack” was detected on Dec. 3, 2014.
Quote: “The hackers did not gain access to individual medical records or billing records,” according to a notification posted to the Sacred Heart Health System website.
Source: sacred-heart.org, “Patients Notified of Billing Data Breach,” March 16, 2015.