Now that I know what I’m looking for, I’m finding more evidence of targeted email attacks affecting members of Ascension Health. For previous reports on this incident, read here and here.
On March 16, Sacred Heart Health System in Florida posted this notice on their site about a breach they reported to HHS as affecting 14,177 patients:
The privacy and security of patient information is of utmost importance to Sacred Heart Health System, Inc. and we have implemented significant security measures to protect such information. Regrettably, despite Sacred Heart’s efforts to safeguard patient information, a hacking attack has affected Sacred Heart patients.
On February 2, 2015, we were notified by one of our third-party billing vendors that one of its employee’s e-mail user name and password had been compromised as a result of an e-mail hacking attack. The hacking attack was detected by our billing vendor on December 3, 2014 and the employee’s user name and password were shut down the same day. Upon notice of the incident, Sacred Heart, in cooperation with our billing vendor, immediately launched a thorough investigation into the matter. Sacred Heart engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected e-mail account. After careful review, we were able to determine that the billing vendor’s employee e-mail account contained personal information for approximately 14,000 individuals.
The personal health information in the e-mail account included patient names, date of service, date of birth, diagnosis and procedure, billing account numbers, total charges, and physician name. Approximately 40 individuals’, social security numbers were also compromised. The hackers did not gain access to individual medical records or billing records.
Please be assured that Sacred Heart is taking steps to mitigate this incident by notifying affected individuals via letter, posting this substitute notice, and providing notice to prominent media outlets in the area. Identity monitoring and protection services are being offered free of charge for those whose social security number has been affected by the incident. Additionally, we are working with our e-mail service provider to evaluate ways to enhance our already robust security program. We will also provide additional education to employees regarding e-mail hacking attacks.
In addition to the steps Sacred Heart has taken, affected individuals may wish to obtain a free credit report from each of the credit reporting bureaus — Equifax, Experian and TransUnion. The credit bureaus’ information is below:
Equifax 800-525-6285 www.equifax.com Experian 888-397-3742 www.experian.com TransUnion 800-680-7289 www.transunion.com Sacred Heart sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that Sacred Heart is taking appropriate measures to avoid an incident of this nature happening in the future. Should you have any questions regarding this matter, please contact us at the following toll-free number: 1-877-244-8984 Monday through Friday, 8 a.m. to 6 p.m. CST with questions.
If Sacred Heart Health System is our fourth entry for the list, then St. Mary’s Health in Indiana is the fifth. Their breach affected 3,952 patients. The notice on their web site reads, in part:
On December 3, 2014, St. Mary’s learned that several employees’ user names and passwords had been compromised as a result of an e-mail hacking attempt. It immediately shut down the user names and passwords and launched an investigation into the matter. After careful review, St. Mary’s learned on January 8, 2015, that employee e-mail accounts subject to the hacking attempt contained some personal information for approximately 4,400 individuals.
The personal health information in the e-mail account included patient name, date of birth, gender, date of service, insurance information, limited health information and, in some cases, social security numbers. The hackers did not gain access to individual medical records or billing records.
sheez, how many employee accounts were affected?
What’s the tally? 39k + 25k + 14k people? 78k people so far and maybe more?
Is it normal that this info only comes out about 5 months after the fact?