On October 12, 2018, Catawba Valley Medical Center submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Based in Hickory, North Carolina, Catawba Valley Medical Center’s email breach affected 20,000 individuals’ protected health information.
Catawba Valley Medical Center is classified as a Healthcare Provider.
According to this report about Catawba Valley Medical Center’s breach:
On August 13, 2018, Catawba Valley Medical Center (CVMC) in Hickory, NC discovered an unauthorised individual accessed the email account of a CVMC employee. Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach.
That investigation revealed that between July 4 and August 17, 2018, three employees’ email accounts had been compromised after the employees responded to phishing emails. Some of the emails in those accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers.
No evidence was found to suggest that any emails had been accessed or copied and no information has been received to suggest patient health information has been misused in any way.
The phishing incidents have prompted CVMC to hire security experts to enhance employee education, more robust email security controls have been implemented, and CVMC will continue to upgrade hardware and software as appropriate to repel malicious threats.
All patients whose protected health information may have been compromised as a result of the email account breaches were notified by mail on October 12, 2018.
The breach summary on the HHS’ Office for Civil Rights’ breach portal indicates up to 20,000 patients have potentially been affected by the email account breaches.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.