On April 27, 2018, Billings Clinic submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Based in Billings, Montana, Billings Clinic’s email breach affected 949 individuals’ protected health information.
Billings Clinic is classified as a Healthcare Provider.
According to Billings Clinic’s statement given to Billings’ Gazette:
All of the patients who were part of the breach had access to or used the pharmacy at the hospital’s main campus, 2800 10th Ave. N., hospital spokesman Luke Kobold said Friday by telephone.
“We want to stress it did not include any of the hyper-sensitive information” such as social security numbers, credit card numbers, or banking or insurance information, Kobold said. It may have included patient names, dates of birth, phone number and amounts owed to the pharmacy.
The number of patients involved in the breach is “a small fraction of our overall data base,” he added.
The incident did not compromise Billings Clinic’s electronic medical record or financial systems, and there is no evidence that any patient information has or could have been misused, Kobold said in a news release.
Clinic officials became aware of unusual activity within its email system in February. The hospital hired a national digital forensics firm to investigate the sources and scope of the attack.
That investigation concluded in mid-April, Kobold said. It revealed an unauthorized individual viewed a limited number of emails that contained patient information.
Access to those email accounts was blocked, and additional security measures were put in place for all accounts, the news release said.
Billings Clinic is providing information to patients about the breach and suggesting steps they can take to monitor and protect their personal information. The hospital also reported the incident to the FBI.
“With these cyber-security threats expanding across the globe, we continue to invest in technology and educate our employees,” Kobold said. “As rapidly evolving as these attacks are, we need to constantly be on our toes.”
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.