Dedicated to providing the latest
HIPAA compliance news

York Hospital Announces Employee Data Theft Incident

Share this article on:

The recent spate of attacks on healthcare providers continues with yet another healthcare provider announcing a cyberattack that has resulted in healthcare employee data being stolen. Few details of the attack on York Hospital in Maine have been released, although the latest incident has all the hallmarks of two other data breaches that were reported by healthcare providers in the past two weeks.

York Hospital’s Director of Marketing, Jody Merrill, issued a statement saying “York Hospital was victimized by cyber criminals who fraudulently stole personal identifying information of York Hospital employees.”

The exact details of the incident have not been provided to the press. CEO Jud Knox took the decision not to comment on the attack at this stage until further information is known. The theft occurred on Monday this week, Merrill’s statement was issued on Wednesday, and the matter has been reported to the FBI.

What is known is the stolen data include the type of information commonly found on W2 forms. The theft involved the exact data types as were emailed to scammers by an employee at Magnolia Health Corporation, CA., last week and St. Joseph’s Healthcare System, NJ, this week. In both of those incidents and employee responded to an email request to send employee data, with the email appearing to have been sent by a senior executive in the company.

Affected employees, which include physicians, nurses, and maintenance staff, had their full names, addresses, contact telephone numbers, Social Security numbers, and earnings details stolen by the attackers. Employees who were recruited and joined the hospital in 2016 were not affected, only those who were employed during 2015.

York Hospital is a 79-bed facility in Southern Maine. The healthcare provider also runs four campuses in York County. York Hospital employs around 1400 staff across all of its facilities, although at this stage it is not clear how many employees have had their data stolen. That number is certainly in the hundreds.

All affected individuals are being offered identity theft protection and mitigation services for a period of a year without charge.

Tax Season Email Scam Warning for Healthcare Providers

The latest scam may not be particularly sophisticated, but it is convincing. It involves an email being sent to an employee requesting a spreadsheet containing the tax details of employees. The email appears to come from the account of a senior executive or the CEO of the company.

In at least one of these cases the incident involved the use of a spoofed domain. For example, the attacker would register the domain using “hopsital” instead of “hospital.” And create an email address in the format used by that facility. That information could easily be found on LinkedIn or with a Google search.

Scammers can also mask the email address so it appears to have been sent from a genuine address, making the scam even harder to identify.

To prevent becoming a victim of such an attack, it is recommended that all staff with access to employee data are sent an email bulletin to warn them of the scam and advise them to be extremely cautious.

Staff should be told to report any request for employee data to a supervisor. Attempts should be made to verify the genuineness of any email request for data before any information is sent.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On