Black River Medical Center in Missouri has sent notification letters to an unspecified number of patients potentially affected by a phishing incident discovered in April. Here is their June 13 notice from their web site:
Black River Medical Center has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal information. Although at this time there is no evidence that patient information was actually accessed or viewed, or any indication that anyone’s information was actually misused, we have taken steps to notify any patients who may have been affected by this incident. This includes sending letters to anyone whose information might have been exposed.
On April 23, 2018, we discovered that an employee’s email account was compromised as the result of a phishing attack. Our IT department immediately commenced an investigation to determine whether sensitive information in the account was at risk. The investigation determined that an unknown, unauthorized third party gained access to the employee’s email account and could have viewed or accessed the information contained therein, which included patients’ names, addresses and phone numbers, and in certain instances, limited treatment information. Fortunately, Social Security numbers or financial / billing information were not involved in this incident.
At this time, there is no evidence that the unauthorized party actually accessed or viewedany patient information in the email account, and Black River is not aware of any misuse of patient information. Notification letters mailed on June 13, 2018, include additional information about what occurred and a toll-free number that patients can call to learn more about the incident. The call center is available Monday through Friday from 7:00 AM and 7:00 PM Central, and can be reached at 1-800-939-4170. For more information, you may also visit https://stage.myidcare.com/BlackRiverMedicalCenter.
The privacy and protection of patient information is a top priority for Black River Medical Center, which regrets any inconvenience or concern this incident may cause.
The incident is not on HHS’s public breach tool at the time of this blog post. Whether that is a function of less than 500 patients being notified or just due to some delay in posting on HHS’s part is not yet clear.