HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hill Country Memorial Hospital Discovers Email Account Compromise

An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients.

The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose of sending fraudulent invoices to the hospital’s accounts payable department. However, the email account contained a range of ePHI which could potentially have been accessed and stolen by the attacker.

The investigation into the security breach did not reveal whether any emails had been accessed, and if the ePHI of patients had been viewed or copied, but the possibility could not be ruled out. The email account contained patients’ names, addresses, ID numbers, dates of birth, prescription and treatment information, medical diagnoses, procedure information and Social Security Numbers.

In is unclear at this stage how the criminal gained access to the email account, although steps have now been taken to secure the account to ensure further unauthorized access is not possible. A password reset has also been performed on all email accounts and logins have been changed as a precaution against further attacks. The hospital is also evaluating further measures that can be implemented to strengthen security. The hospital has notified law enforcement about the breach and the investigation into the incident is continuing. It is unclear whether any of the fraudulent invoices sent from the breached account resulted in payments being made.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 8,449 patients have been impacted by the incident.

Jayne Pope, Chief Executive Officer of Hill Country Memorial Hospital has apologized to patients for the inconvenience caused to patients and has confirmed that the hospital takes patient privacy very seriously. Out of an abundance of caution, all patients impacted by the incident have been offered credit monitoring and identity theft protection services for 12 months without charge.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.