HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

York Hospital Announces Employee Data Theft Incident

The recent spate of attacks on healthcare providers continues with yet another healthcare provider announcing a cyberattack that has resulted in healthcare employee data being stolen. Few details of the attack on York Hospital in Maine have been released, although the latest incident has all the hallmarks of two other data breaches that were reported by healthcare providers in the past two weeks.

York Hospital’s Director of Marketing, Jody Merrill, issued a statement saying “York Hospital was victimized by cyber criminals who fraudulently stole personal identifying information of York Hospital employees.”

The exact details of the incident have not been provided to the press. CEO Jud Knox took the decision not to comment on the attack at this stage until further information is known. The theft occurred on Monday this week, Merrill’s statement was issued on Wednesday, and the matter has been reported to the FBI.

What is known is the stolen data include the type of information commonly found on W2 forms. The theft involved the exact data types as were emailed to scammers by an employee at Magnolia Health Corporation, CA., last week and St. Joseph’s Healthcare System, NJ, this week. In both of those incidents and employee responded to an email request to send employee data, with the email appearing to have been sent by a senior executive in the company.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Affected employees, which include physicians, nurses, and maintenance staff, had their full names, addresses, contact telephone numbers, Social Security numbers, and earnings details stolen by the attackers. Employees who were recruited and joined the hospital in 2016 were not affected, only those who were employed during 2015.

York Hospital is a 79-bed facility in Southern Maine. The healthcare provider also runs four campuses in York County. York Hospital employs around 1400 staff across all of its facilities, although at this stage it is not clear how many employees have had their data stolen. That number is certainly in the hundreds.

All affected individuals are being offered identity theft protection and mitigation services for a period of a year without charge.

Tax Season Email Scam Warning for Healthcare Providers

The latest scam may not be particularly sophisticated, but it is convincing. It involves an email being sent to an employee requesting a spreadsheet containing the tax details of employees. The email appears to come from the account of a senior executive or the CEO of the company.

In at least one of these cases the incident involved the use of a spoofed domain. For example, the attacker would register the domain using “hopsital” instead of “hospital.” And create an email address in the format used by that facility. That information could easily be found on LinkedIn or with a Google search.

Scammers can also mask the email address so it appears to have been sent from a genuine address, making the scam even harder to identify.

To prevent becoming a victim of such an attack, it is recommended that all staff with access to employee data are sent an email bulletin to warn them of the scam and advise them to be extremely cautious.

Staff should be told to report any request for employee data to a supervisor. Attempts should be made to verify the genuineness of any email request for data before any information is sent.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.