On July 13, 2018, Charles Cole Memorial Hospital (UPMC) submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS).
Based in Coudersport, Pennsylvania, Charles Cole Memorial Hospital’s email breach affected 790 individuals’ protected health information.
Charles Cole Memorial Hospital is classified as a Healthcare Provider.
According to this report about Institute on UPMC’s statement:
“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” said UPMC Cole’s president and senior executive Ed Pitchford. “UPMC is committed to meeting our patients’ privacy expectations. We cannot confirm if any of the information was used for improper purposes, but, out of an abundance of caution, we deemed it appropriate to inform those possibly affected by this breach.”
As a result of UPMC Cole’s internal investigation, it was determined that there were two phishing attacks (emails sent from an external source that look like they are from a trusted source attempting to obtain sensitive information and often contain links to a phony login page or fake website) on June 7 and June 14 that were discovered through staff reports of the receipt of the emails.
The phishing attacks were isolated to email accounts and no medical records systems were breached. The following information was discovered in the emails to varying degrees for each patient, including patients’ names, dates of birth, scheduling information, types of procedures, names of providers and other general treatment information. No patient Social Security numbers were accessed during the phishing attacks.
UPMC Cole has notified the U.S. Department of Health and Human Services as required by the Federal Health Insurance Portability and Accountability Act that the information may have been accessed.
UPMC Cole has sent letters notifying all of the patients affected.
UPMC Cole has provided patients with information on how to place a fraud alert in their files with the three major credit-reporting companies, and has supplied them with links to access identity protection resources available through the Federal Trade Commission. UPMC Cole has also set up a toll-free telephone line with representatives who can answer questions from these patients and respond to any concerns.
UPMC Cole took immediate corrective action by blocking the unwanted access.
“We are committed to keeping patient information secure and strive to continually implement improvements to prevent such an incident from happening again,” Pitchford said.
HHS Wall of Shame
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights.
As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
HIPAA Breach Report
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.