Share this article on:
An unauthorized individual has gained access to an email account of an employee of Hill Country Memorial Hospital and sent a number of fraudulent invoices, but potentially also accessed the protected heath information of certain patients.
The Fredericksburg, TX hospital discovered the email account of an emergency room employee had been accessed on February 21, 2017. The attack is believed to have been conducted solely for the purpose of sending fraudulent invoices to the hospital’s accounts payable department. However, the email account contained a range of ePHI which could potentially have been accessed and stolen by the attacker.
The investigation into the security breach did not reveal whether any emails had been accessed, and if the ePHI of patients had been viewed or copied, but the possibility could not be ruled out. The email account contained patients’ names, addresses, ID numbers, dates of birth, prescription and treatment information, medical diagnoses, procedure information and Social Security Numbers.
In is unclear at this stage how the criminal gained access to the email account, although steps have now been taken to secure the account to ensure further unauthorized access is not possible. A password reset has also been performed on all email accounts and logins have been changed as a precaution against further attacks. The hospital is also evaluating further measures that can be implemented to strengthen security. The hospital has notified law enforcement about the breach and the investigation into the incident is continuing. It is unclear whether any of the fraudulent invoices sent from the breached account resulted in payments being made.
The incident has been reported to the Department of Health and Human Services’ Office for Civil Rights. The breach report indicates 8,449 patients have been impacted by the incident.
Jayne Pope, Chief Executive Officer of Hill Country Memorial Hospital has apologized to patients for the inconvenience caused to patients and has confirmed that the hospital takes patient privacy very seriously. Out of an abundance of caution, all patients impacted by the incident have been offered credit monitoring and identity theft protection services for 12 months without charge.