Email Breaches Reported by Massachusetts and Tennessee Hospitals
McLean Hospital, Delta Specialty Hospital, and FC Compassus have discovered unauthorized access to their email systems and the exposure of patient data.
McLean Hospital
McLean Hospital in Belmont, MA, a Mass General Brigham affiliate, has notified 2,231 patients about unauthorized access to an email archive that contained the data of patients who received an MRI scan as research participants or through clinical services between June 15, 2020, and February 9, 2024. The unauthorized access was detected on February 8, 2024, and the review of the email archive was completed on May 3, 2024. Notification letters were mailed to the affected individuals on May 21, 2024.
The types of data involved varied from individual to individual and may have included names, addresses, phone numbers, email addresses, dates of birth, medical record numbers, Social Security numbers, health insurance information, driver’s license numbers, and some clinical information, such as procedure type, diagnosis, medications, clinical locations, and whether the individual participated in a research study. For most of the affected individuals, only limited information was exposed.
McLean Hospital said steps have been taken to prevent similar incidents in the future and 24 months of complimentary credit monitoring services have been offered to the affected individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
FC Compassus
FC Compassus, a Tennessee-based provider of home health infusion, hospice, and palliative care, identified suspicious activity in an employee’s email account on April 2, 2024. The account was immediately secured to prevent further unauthorized access and an investigation was launched to determine the cause of the activity and whether patient data was viewed or acquired.
The investigation confirmed that there had been unauthorized access to the account and one file that contained patient data. The file included names, the names of referral sources, and referral dates. Other information in the account potentially viewed included admission dates, notes related to the admission process, and status/date of death.
The unauthorized access was quickly identified and contained; however, the information of 2,703 patients was exposed. FC Compassus has offered 12 months of complimentary credit monitoring and identity theft protection services to the affected individuals. Multifactor authentication had been implemented for email accounts at the time of the attack, and now additional safeguards are being evaluated.
Delta Specialty Hospital
Delta Specialty Hospital in Tennessee has notified 1,019 patients about unauthorized access to an employee’s email account. The breach was detected on January 11, 2024, and the forensic investigation confirmed that the account was accessed by an unauthorized third party between January 11 and January 15, 2024. All emails in the account were reviewed to determine the patients affected and the types of data involved. The review was completed on May 21, 2024, and confirmed that names, addresses, patient numbers, medical record numbers, provider names, treatment and health insurance information, and/or status as a Delta patient had been exposed. Delta Specialty Hospital has implemented additional safeguards and technical security measures to prevent similar incidents in the future.
