DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

And then there were four five (Ascension Health entities breached)

Posted on April 27, 2015 by Dissent

Now that I know what I’m looking for, I’m finding more evidence of targeted email attacks affecting members of Ascension Health. For previous reports on this incident, read here and here. 

On March 16, Sacred Heart Health System in Florida posted this notice on their site about a breach they reported to HHS as affecting 14,177 patients:

The privacy and security of patient information is of utmost importance to Sacred Heart Health System, Inc. and we have implemented significant security measures to protect such information. Regrettably, despite Sacred Heart’s efforts to safeguard patient information, a hacking attack has affected Sacred Heart patients.

On February 2, 2015, we were notified by one of our third-party billing vendors that one of its employee’s e-mail user name and password had been compromised as a result of an e-mail hacking attack. The hacking attack was detected by our billing vendor on December 3, 2014 and the employee’s user name and password were shut down the same day. Upon notice of the incident, Sacred Heart, in cooperation with our billing vendor, immediately launched a thorough investigation into the matter. Sacred Heart engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected e-mail account. After careful review, we were able to determine that the billing vendor’s employee e-mail account contained personal information for approximately 14,000 individuals.

The personal health information in the e-mail account included patient names, date of service, date of birth, diagnosis and procedure, billing account numbers, total charges, and physician name. Approximately 40 individuals’, social security numbers were also compromised. The hackers did not gain access to individual medical records or billing records.

Please be assured that Sacred Heart is taking steps to mitigate this incident by notifying affected individuals via letter, posting this substitute notice, and providing notice to prominent media outlets in the area. Identity monitoring and protection services are being offered free of charge for those whose social security number has been affected by the incident. Additionally, we are working with our e-mail service provider to evaluate ways to enhance our already robust security program. We will also provide additional education to employees regarding e-mail hacking attacks.

In addition to the steps Sacred Heart has taken, affected individuals may wish to obtain a free credit report from each of the credit reporting bureaus — Equifax, Experian and TransUnion. The credit bureaus’ information is below:

Equifax 800-525-6285 www.equifax.com
Experian 888-397-3742 www.experian.com
TransUnion 800-680-7289 www.transunion.com

Sacred Heart sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that Sacred Heart is taking appropriate measures to avoid an incident of this nature happening in the future. Should you have any questions regarding this matter, please contact us at the following toll-free number: 1-877-244-8984 Monday through Friday, 8 a.m. to 6 p.m. CST with questions.

If Sacred Heart Health System is our fourth entry for the list, then St. Mary’s Health in Indiana is the fifth. Their breach affected 3,952 patients.  The notice on their web site reads, in part:

On December 3, 2014, St. Mary’s learned that several employees’ user names and passwords had been compromised as a result of an e-mail hacking attempt.  It immediately shut down the user names and passwords and launched an investigation into the matter.  After careful review, St. Mary’s learned on January 8, 2015, that employee e-mail accounts subject to the hacking attempt contained some personal information for approximately 4,400 individuals.

The personal health information in the e-mail account included patient name, date of birth, gender, date of service, insurance information, limited health information and, in some cases, social security numbers.  The hackers did not gain access to individual medical records or billing records.

 

Related posts:

  • FL: Sacred Heart Health System billing information hacked
  • HHS starts to reveal healthcare breaches reported to government
  • Nine more breaches newly revealed on HHS's web site
Category: Health DataMalwareOf NoteSubcontractor

Post navigation

← And then there were three (Ascension Health entities breached)
LabMD moves to disqualify Commissioner Ramirez from administrative case; also moves to dismiss entire case →

1 thought on “And then there were four five (Ascension Health entities breached)”

  1. Anonymous says:
    April 27, 2015 at 6:05 pm

    sheez, how many employee accounts were affected?

    What’s the tally? 39k + 25k + 14k people? 78k people so far and maybe more?

    Is it normal that this info only comes out about 5 months after the fact?

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.