Evansville Medical Center Hack Exposes HIPAA Data of 4,400

Hackers have gained access to the E-mail accounts of a number of employees of the St. Mary’s Medical Center in Evansville, Indiana, resulting in the PHI of approximately 4,400 patients potentially being exposed.

A spokesman for St. Mary’s Medical Center, Randy Capehart, issued a statement announcing the HIPAA breach to the press. In the statement he explained the nature of the attack and the data that was potentially exposed.

The E-mail accounts accessed by the hackers contained Protected Health Information together with personal identifiers and some Social Security numbers. Although the data exposed varied from individual to individual, the information mostly contained names, gender, dates of birth, health and insurance information.

The attack occurred in January and all patients affected by the breach are being notified by mail. They have been offered a year of credit and identity protection services if they had their Social Security numbers exposed. All other individuals will be entitled to obtain a free credit report from each of Equifax, TransUnion and Experian.

The breach was identified rapidly and access to the E-mail accounts was shut down promptly, limiting the opportunity for thieves to access PHI, although it is not clear at this stage how quickly access was stopped and whether thieves were able to download information.

Even though the issue was rapidly identified, it took some time for the hospital to determine if any data had in fact been compromised in the incident.

During the investigation it determined that the cyber attack was of a “sophisticated” nature, and that hackers had gained access to the accounts via “fraudulent E-mail communications.”

A forensic investigation is continuing in an attempt to determine whether data was accessed or copied and efforts are being made to determine the identity of the hackers so they can be brought to justice. To date no one has reported any identity or medical theft according to St. Mary’s, although crimes of this nature do not tend to take place immediately, and when they do it can take some time for the fraud to be discovered.

The hospital has set up a helpline – 1-877-643-2062 – for anyone seeking more information about the data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.