HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Two Maine Healthcare Providers Report Email Security Breaches Impacting 52,000 Patients

InterMed, one of the largest healthcare providers in Southern Maine, has discovered the personal and health information of up to 30,000 patients has potentially been accessed by an unauthorized individual as a result of a recent email security breach.

On September 6, 2019, InterMed discovered an employee’s email account had been accessed by a third-party without authorization. An independent investigation into the breach revealed the account was compromised on September 4 and a further three employee email accounts were also found to have been compromised between September 7 and September 10, 2019.

Emails and attachments in the compromised accounts contained patient information such as names, dates of birth, clinical information, and health insurance information, and for 155 individuals, Social Security numbers. The breach was limited to email accounts. The electronic medical record system was not accessed. It was not possible to determine whether emails in the account were actually viewed.

The compromised email accounts were immediately secured, and affected patients were notified about the breach on November 5. Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services. InterMed has said “we are enhancing our adherence to email best practices,” and strengthening security to protect against further attacks.

Sweetser Breach Impacts 22,000 Current and Former Clients

Another Maine healthcare organization has also recently announced an email system breach. Sweetser, a Saco, ME-based provider of mental health services, discovered a potential email account breach on June 24, 2019 when suspicious activity was identified in the account. Assisted by a digital forensics company, the breach was confirmed as affecting other employee email accounts, which were accessed by an unauthorized individual between June 18 and June 27, 2019.

Sweetser said it was informed on September 10, 2019 that one or more of the compromised email accounts contained patient information. The incident was reported to the Department of Health and Human Services’ Office for Civil Rights on September 13, 2019 as affecting 22,000 patients. Sweetser announced the breach and started sending patient notification letters on October 25, 2019.

The types of information in the email accounts varied from patient to patient and may have included names, addresses, telephone numbers, dates of birth, health insurance information, Social Security numbers, identification numbers, drivers license numbers, Medicare/Medicaid information, payment/claims information, diagnosis codes, and information on patients’ medical conditions and treatments.

Individuals whose Social Security number was potentially compromised are being offered complimentary credit monitoring and identity theft protection services.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.