Email Accounts Compromised at Aultman Hospital & Benefit Management LLC
On April 24, 2024, Aultman Hospital in Canton, OH, identified phishing emails being sent from an employee’s email account. The account was immediately secured, and an investigation was launched which confirmed that the employee’s email account had been compromised without their knowledge between April 22 and April 24, 2024.
The investigation included an analysis of the email system, and it was confirmed that the incident was limited to the email account of a single employee and that the attacker had not gained access to any other IT systems. Aultman Hospital suspects the aim of the attack was a phishing email scheme to compromise email accounts rather than to access emails and attachments in accounts; however, it was not possible to rule out unauthorized access to emails and email attachments.
A manual review was conducted of the emails and attachments that confirmed they contained patient information. The information exposed varied from individual to individual and many have included one or more of the following: Patient names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, diagnoses, and/or treatment information.
Notification letters started to be mailed to the affected individuals on June 21, 2024. Additional safeguards and technical security measures have been implemented and cybersecurity training has been increased. The HHS’ Office for Civil Rights breach portal indicates that 6,890 individuals have been affected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Benefit Management Discloses April 2023 Email Account Breach
Benefit Management LLC, a Great Bend, KS-based third-party benefit administrator, has recently notified 6,272 individuals that some of their protected health information was stored in email accounts that were accessed by an unauthorized third party. Suspicious activity was detected in an employee email account on or around April 17, 2024. External computer forensics experts were engaged to investigate the activity and confirmed that there had been unauthorized access to multiple employee email accounts between April 14, 2023, and April 17, 2023.
A review was conducted to determine the individuals affected and the types of information exposed. Benefit Management said the review was time-consuming and was not completed until April 1, 2024. The affected clients were then notified, and Benefit Management offered to mail notification letters to the affected individuals on their behalf and reported the breach to the HHS’ Office for Civil Rights on June 12, 2024.
The types of data involved varied from individual to individual and may have included one or more of the following: name, address, date of birth, Social Security number, diagnosis/condition, health insurance information, medical information, claims information, prescription information, medical record number, and Medicare/Medicaid identification number.
Benefit Management is unaware of any misuse of the exposed information; however, as a precaution, the affected individuals have been offered complimentary credit monitoring services for 12 months.
