Hmm. The County Line posted the following notice with this preface: Editor’s note: Scenic Bluffs Community Health Centers prepared the following press release on its security breach in late February.
Except I don’t see the notice on their site at all. Or on HHS’s breach tool. Did this not appear on HHS’s breach tool because they used the number 44, or for some other reason?
Cyber attackers gained limited unauthorized access to one staff email account within the Scenic Bluffs Community Health Centers system and may have obtained some information relating to patients.
The health centers notified 2,889 patients of a potential breach of personal patient information after discovering March 1, 2018, that one staff email account had been hacked on Feb. 28, 2018, by an unauthorized party. This party set up a forwarding mechanism that was immediately disabled. Only 44 emails were forwarded, none of which contained any protected personal patient health information. This account was closed, and the breach was resolved.
Mari Freiberg, CEO, noted that while no substantiated breach occurred relevant to any patient, “Federal law and patient privacy protections require this notification based on the mere prospect that someone’s protected information was viewed.”
Scenic Bluffs Community Health Centers mailed notifications on Monday, April 23, to those identified as having a potential impact by this breach. The information that was potentially obtained may have included personally identifiable information.
Scenic Bluffs Community Health Centers has safeguards in place to ensure the privacy and security of all patient health information. As a result of this breach, however, steps are underway to further improve the security of its operations and eliminate future risk. Freiberg added that the health center is working with an outside and respected cybersecurity firm “to further evaluate our systems and identify solutions based on the ever-evolving landscape.”
Scenic Bluffs Community Health Centers has staff available for patients to call with any questions related to the data breach. Patients may call (608) 654-5100, ext. 274, from 8 a.m. to 4 p.m. with any questions.