Now can I say, “I told you so?”
When Ascension Health wouldn’t answer my question as to whether there were other members who had also had a phishing incident recently other than the two hospitals I had already reported on, I was even more suspicious.
Then this afternoon, I discovered that St. Agnes Health Care, Inc. in Maryland notified HHS of a breach of a “hacking/IT incident” involving PHI located in email. The breach affected 24,967.
So I searched their site, and sure enough, they, too are part of Ascension Health, and they, too have what has become Ascension’s standard notice for this incident on their web site (although you won’t spot it from the home page):
Saint Agnes Health Care, Inc. (“Saint Agnes”) recently sent letters to approximately 25,000 individuals informing them of an email phishing incident which targeted the e-mail accounts of its employees. Through a fraudulent e-mail communication, sophisticated hackers gained access to protected health information contained in an employee e-mail account. The incident resulted in certain patient protected information being compromised, which included one or more of the following items: name, date of birth, gender, medical record number, insurance information, limited clinical information and, in four cases, social security numbers.
The user name and password for the e-mail account was immediately shut down and Saint Agnes launched a thorough investigation into the matter. Saint Agnes engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected e-mail account. The analysis involved manual and electronic review of the information to determine the scope of the incident and identify all individuals affected.
“We value the privacy and security of patient protected information and we are committed to protecting the confidentiality and privacy of our patients and employees,” said Sharon McNamara Corporate Responsibility Officer at Saint Agnes Healthcare, Inc. “It is our priority to support those who have been affected.”
“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future,” McNamara said. “Specifically, we will continue to implement administrative, technical and physical safeguards against unauthorized access of protected health information. In this instance, we reported the incident to our e-mail service provider and are evaluating additional ways to enhance our already robust security program.”
Concerned individuals may wish to obtain a free credit report from each of the credit reporting bureaus – Equifax, Experian and TransUnion. The credit bureaus’ information is below:
Equifax 800-525-6285 www.equifax.com
Experian 888-397-3742 www.experian.com
TransUnion 800-680-7289 www.transunion.com
Identity monitoring and protection services will be offered free of charge as appropriate for individuals whose social security number has been compromised by this incident. Affected individuals may call 1- 866-870-0474, Monday through Friday, 9 a.m. to 7 p.m. EST with questions.
Unlike St. Vincent’s and Seton Family’s notifications, however, this one doesn’t indicate when they discovered the breach. Anyone care to bet it was the first week of December?