On Feb. 20, Rutland Regional Medical Center in Vermont posted a notice on its web site that says, in pertinent part:
Rutland Regional Medical Center (“Rutland Regional”) recently discovered an incident that may affect the security of personal information of certain individuals who received care from its facility. We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward. Rutland Regional is also contacting the appropriate regulators regarding this incident.
What happened?
On December 21, 2018, a Rutland Regional employee identified a high volume of spam emails being sent from their email account. The employee reported this activity to Rutland Regional’s IT Department on December 29, 2018. Subsequently, on December 31, 2018, Rutland Regional’s IT Department determined the employee’s email account was subject to unauthorized access and immediately changed the employee’s password and locked the account.
Rutland Regional enlisted the assistance of a third-party forensic expert to further investigate this incident. Although the investigation is ongoing, Rutland confirmed on February 6, 2019 that an unauthorized actor or actors had access to nine (9) employees’ email accounts at certain times between November 2, 2018 to February 6, 2019. No Electronic Medical Record systems or other Rutland Regional internal systems were affected.
What information may have been affected by this incident?
Though the investigation into this matter is ongoing, currently it is believed that the unauthorized actor may have had access to information related to certain individuals who were treated at Rutland Regional, including the following types of information: name, contact information, Social Security number, financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, and health insurance information.
Rutland Regional cannot confirm whether any specific information within the affected email accounts was actually accessed, viewed, or acquired without permission. They are providing this notification out of an abundance of caution to anyone whose information was accessible within the email accounts.
Read more on RRMC. The number of patients being notified was not disclosed and the incident is not on HHS’s breach portal (yet).