On December 17, 2018, The University of Vermont Health Network – Elizabethtown Community Hospital submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Located in Elizabethtown, NY, the email breach potentially affected 32,000 individuals’ protected health information.
UVHN Elizabethtown Community Hospital is classified as a Healthcare Provider.
According to a notice on UVHN Elizabethtown Community Hospital’s website:
We are notifying individuals potentially affected by a recent data security incident in which, for a brief period of time, an employee’s email account was remotely accessed by an unauthorized user. We completed an initial 60-day investigation of the incident and have no evidence of any fraud or identity theft to any individual as a result of this incident.
The incident, which occurred on October 9, 2018, was limited to one employee’s email account and did not involve the hospital’s computer networks or electronic medical records, nor did it involve the email or information technology systems at any of the Network’s other affiliates. Upon learning of the incident on October 18, 2018, we immediately took action, including changing passwords, implementing enhanced security features and engaging a leading forensic security firm to assist with the investigation.
We are very sorry this has happened. We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees. To help prevent something like this from happening in the future, we have taken organization-wide steps to enhance the security of our email system, and we are reinforcing education with our staff to assure protection of patients’ information.
Although the hospital has no evidence that any personal information was viewed or used by an unauthorized party, as part of the investigation, we searched for any personal information in the email account that may have been viewed. We determined that the email account contained individuals’ personal information, including some individuals’ names, dates of birth, addresses and limited medical information; primarily information associated with billing such as medical record numbers, dates of service and a brief summary of services provided. The account also contained the Social Security numbers of some individuals.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.