The following press release was issued on May 22 by Beacon Health System. Note the attempt to characterize this as a “sophisticated” attack. That’s PR-speak for “our employees fell for it.” Of note, it appears that this attack went back to November 2013. Was there any audit between then and now that could have detected this sooner?
The total number affected was not reported, so we’ll see if this appears on HHS’s public breach tool at some point. UPDATE: Healthcare IT reports that this breach impacted 220,000. UPDATE 2: Beacon Health reported this to HHS as affecting 306,789. It’s not clear whether the 220,000 figure or the 306,789 figure is the more recent/accurate one.
Although there is no evidence of any actual or attempted misuse of personal or protected health information belonging to Beacon Health System (“Beacon”) patients, Beacon is notifying the media and affected patients that it was the subject of a sophisticated phishing attack, and that unauthorized individuals gained access to Beacon employee email boxes, which contained the personal and protected health information of some individuals, including patients.
Beacon discovered that it had been the target of a sophisticated cyber attack. On March 25, 2015, during the investigation of this attack, Beacon discovered unauthorized access to email boxes of some of its employees, which potentially contained information on patients. Certain email boxes were accessed beginning as early as November 2013, and the last date of unauthorized access into any email box was January 26, 2015.
Beacon continued an extensive review to determine if sensitive information was affected. On May 1, 2015, Beacon was advised that protected health information was contained in the affected emails. While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes. The majority of accessible information related only to patient name, doctor’s name, internal patient ID number, and patient status (either active or inactive). The accessible information, which was different for different individuals, included the following types of information: Social Security number, date of birth, driver’s license number, diagnosis, date of service, and treatment and other medical record information. There is no evidence that the unauthorized users viewed or removed data from the email boxes. Beacon is mailing letters to affected individuals beginning May 22, 2015. The forensic investigation is ongoing, and Beacon will notify additional individuals if necessary.
Although there is no report of any attempted or actual misuse of the information contained in the email boxes, Beacon is providing affected individuals with access to one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and an identity theft protection specialist. Additionally, Beacon is consulting with the FBI and has notified the Department of Health and Human Services and various state regulators. Beacon is reviewing its policies and procedures and is implementing additional measures to prevent an incident like this from happening again.
Individuals are encouraged to regularly review any Explanation of Benefits statements received from insurers for suspicious activity. If an individual does not receive regular Explanation of Benefits statements, he or she can contact his or her insurer and request copies. Individuals may want to order copies of credit reports and check for any unrecognized medical bills. If an individual finds anything suspicious, he or she can call the credit reporting agency at the phone number on the report. Individuals should keep a copy of notices in case future problems arise. Individuals may also want to request a copy of medical records from providers, to serve as a baseline.
At no charge, an individual can also have these credit bureaus place a “fraud alert” on his or her file that alerts creditors to take additional steps to verify his or her identity prior to granting credit in his or her name. Note, however, that because a fraud alert tells creditors to follow certain procedures, it may also delay an individual’s ability to obtain credit while the agency verifies his or her identity. As soon as one credit bureau confirms an individual’s fraud alert, the others are notified to place fraud alerts on the individual’s file. Should an individual wish to place a fraud alert, or have any questions regarding a credit report, he or she should contact any one of the agencies listed below. Information regarding security freezes is also available from these agencies.
Equifax |
Experian |
TransUnion |
P.O. Box 105069 |
P.O. Box 2002 |
P.O. Box 2000 |
Atlanta, GA 30348 |
Allen, TX 75013 |
Chester, PA 19022-2000 |
800-525-6285 |
888-397-3742 |
800-680-7289 |
Individuals can further educate themselves regarding identity theft, security freezes, and the steps to take to protect themselves, by contacting the Federal Trade Commission (FTC) or their State Attorney General. The FTC can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.ftc.gov/bcp/edu/microsites/idtheft/; 1-877-ID-THEFT (877-438-4338); and TTY: 866-653-4261. The FTC encourages those who discover that their information has been misused to file a complaint with them. Information on how to file such a complaint can be found at the FTC website listed above. North Carolinaresidents can obtain information about preventing identity theft from the North Carolina Attorney General’s Office. The Attorney General can be contacted by mail at 9001 Mail Service Center, Raleigh, NC 27699-9001; toll-free at 1-877-566-7226; by phone at 1-919-716-6400; and online at www.ncdoj.gov. For Marylandresidents, the Attorney General can be contacted at: 200 St. Paul Place, 16th Floor, Baltimore, MD 21202; (888) 743-0023; and www.oag.state.md.us.
Individuals should report known or suspected identity theft or fraud to law enforcement. To further protect against possible identity theft or other financial loss, individuals are encouraged to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, an individual can visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of the relevant credit report.
Anyone who has questions or wants to learn additional information may contact our confidential inquiry line at 1-888-414-8021, Monday through Friday, 9:00 a.m. to 7:00 p.m. Eastern Time (Closed on U.S. observed holidays). Please use this reference number when calling: 1122051415.
SOURCE Beacon Health System