Share this article on:
Valley Hope Association has announced that an unauthorized individual has gained access to the email account of an employee.
Valley Hope Association became aware of a potential account breach on October 10, 2018, when unusual account activity was detected. Prompt action was taken to prevent further account access and a third-party computer forensics firm was hired to determine the nature and scope of the breach.
The investigation confirmed on November 23, 2018, that an unauthorized individual had accessed a single email account between October 9-10, 2018, and potentially viewed emails and attachments containing patients’ protected health information. After a thorough review of all emails and email attachments, the forensics firm confirmed that certain patients’ PHI may have been accessed.
The types of information contained in the emails varied from patient to patient and may have included one or more of the following data elements: Name, address, date of birth, Social Security number, medication and prescription information, claims and billing information, medical record number, health insurance information, and physician’s name. No diagnosis or treatment information was contained in the emails.
Following the confirmation of exposed information, Valley Hope Association has been attempting to identify current contact information for all affected individuals and each will be notified and told about the exact information that has potentially been compromised. While data access/theft is a possibility, no reports have been received to suggest any patient information has been misused.
As a precaution against identity theft and fraud, patients impacted by the breach have been offered 12 months of complimentary identity theft monitoring services through Kroll.
Valley Hope Association has been reviewing and revising its policies and procedures to further protect the security and confidentiality of information on its systems and additional safeguards will be implemented as appropriate.
The breach has been reported to law enforcement, state regulators, credit monitoring bureaus, and the Department of Health and Human Services Office’ for Civil Rights. The breach report on the OCR website indicates the incident has affected 70,799 individuals.