HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Saint Agnes Health Care Hack Exposes 25,000 HIPAA Records

Saint Agnes Health Care, Inc. of Maryland has reported that hackers have gained access to an email account as a result of a phishing campaign. One email account was compromised in the attack; however that user had privileges to access Protected Health Information (PHI) and the account contained the records of approximately 25,000 patients of the facility.

Out of the 24,967 records exposed, only four contained Social Security numbers but a considerable amount of data was potentially obtained by the person responsible for the attack. The data included patient names, gender, dates of birth, medical record numbers and health insurance information and a limited amount of clinical data.

It is not clear from the notice when the incident occurred, although it was posted on the company website on April 27, 2015 and the incident was reported to the Office for Civil Rights on April 24, 2015.

The email account that was compromised was immediately closed as soon as the intrusion was detected and the healthcare provider has been on high alert since. No further threat is believed to remain of further records being compromised, although the hacker responsible for the attack may have been able to copy the PHI of the affected patients.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

A computer forensics investigation was conducted to determine the extent of the breach and the patients affected. St. Agnes is now taking steps to ensure that a similar breach will not occur in the future.

Sharon McNamara is the Corporate Responsibility Officer at Saint Agnes Healthcare, Inc. She issued a statement which was posted on the St. Agnes website in which she said “we reported the incident to our e-mail service provider and are evaluating additional ways to enhance our already robust security program,” she also said “we will continue to implement administrative, technical and physical safeguards against unauthorized access of protected health information.”

When Social Security numbers are obtained by criminals the risk of fraud is significantly increased. Because of this, Saint Agnes Health Care will be offering credit monitoring services to the individuals whose Social Security numbers were present in the data.

All affected St. Agnes patients have been sent breach notification letters and have been advised to obtain a free credit report from TransUnion, Experian and Equifax. They should also monitor their credit statements closely

Health Plan Network Server Hack Exposes 12,500 Records


This is not the only hacking incident to be reported to the Office for Civil Rights this month. Seton Family of hospitals suffered a major data breach in which 39,000 records were compromised. Concordia Plan Services issued a breach notification to the OCR on behalf of the Concordia Health Plan after a network server was hacked. The incident exposed the records of 12,500 individuals, although at this stage it is not clear exactly what data was obtained by the hacker or when the incident occurred.

St.Vincent Medical Group, Inc. reported a hacking incident in which data in an email account was compromised resulting in 756 records being exposed. 5,440 records of the Health Plan operated by the International Union of Operating Engineers Local Unions 181, 320 & TVA Health and Welfare Trust Fund were reported as being obtained in a network server incident, while the ADT LLC Group Health & Welfare Plan also had a network server incident in which 3,074 records were exposed.

So far this month, six hacking incidents have been reported to the OCR in which 85,737 records have been obtained by hackers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.