Ken Sturtz reports:
Oswego Health has notified an unspecified number of patients about a potential leak of personal information via an employee email account earlier this year.
In a letter sent to affected patients, Oswego Health said it had discovered “potential unauthorized access to an employee email account” between June 11 and June 15. The letter was dated Sept. 30, 2020, but officials did not elaborate on when or how the potential leak was discovered.
It took them 3 1/2 months to investigate and notify a breach related to one employee’s email account? I know the pandemic affected a lot of things, but this is significantly beyond the 60 day window in HIPAA for notification.
A breach was first
reported on Becker’s on June 17. Becker’s reported that ‘The email account of an employee at Oswego (N.Y.) Health was compromised June 16 by someone not associated with the health system. The hacker used the employee’s account to send an email containing a link to a possibly malicious site. Its subject line read “[secure] pt # 18337.”‘
It is not clear, but it is likely that may have been related to the report that an employee’s email account was compromised between June 11- 15.
DataBreaches.net had written to Oswego Health to seek information over the summer, but they had never responded.
There does not appear to be any notice on their web site as of the time of this publication and there is no incident listed on HHS’s public breach tool as of the time of this publication. This post may be updated if more information becomes available.
Read more on Oswego County News Now.