- Elizabethtown Community Hospital, part of the University of Vermont Health Network, notified about 32,000 patients that their personal health information was breached during an email hack.
On October 18, hospital officials discovered an unauthorized user had accessed an employee email account. The password to the account was immediately changed and officials hired a forensics team to investigate.
The 60-day investigation determined the breach began on October 9, nine days before it was discovered. Only one email account had been compromised, and the hack did not impact medical records or the Elizabethtown Community Hospital IT systems.
The compromised email account contained PHI, which varied by patient. The data included names, dates of birth, addresses, and medical information, like medical record numbers, service summaries, dates of care, and limited medical information. About 1,200 Social Security numbers were breached.
Further, the investigation concluded it’s possible the hacker was able to view or copy the data.
Officials are continuing to investigate the scope of the security event, and it’s possible that fewer patients were impacted by the breach. Officials have bolstered email system security and are retraining staff on security to “assure protection of patients’ information.”
“We are very sorry this has happened,” officials said in a statement. “We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees.”
Email hacks continue to plague the healthcare sector, with breaches caused by patient data left stored in accounts. In November, HealthEquity notified about 190,000 customers their data may have been breached after a hack on two employee email accounts.