Massachusetts-based UMass Memorial Health is the latest large healthcare network to report an email phishing incident that potentially compromised hundreds of thousands of individuals’ protected health information.
The unauthorized access to “a limited number” of employee email accounts lasted about seven months – from June 24, 2020, to Jan. 7 2021 – before it was detected, Worcester, Massachusetts-based UMass Memorial says in a breach notification statement posted on its website.
UMass Memorial Health, which includes an academic medical center, three other hospitals and a medical group, reported to the Department of Health and Human Services on Oct. 15 an email hacking incident affecting more than 209,000 individuals, according to HHS’ Office for Civil Rights’ HIPAA Breach Reporting Tool website. Commonly called the “wall of shame,” the website lists health data breaches affecting 500 or more individuals.
Breach Details
UMass Memorial Health in its notification statement says that it determined on Jan. 27 that some employees’ email accounts may have been accessed by an unauthorized person.
On Aug. 25, the healthcare entity completed the process of identifying individuals with information contained in the accounts, the statement says.
For affected patients, the information involved included names, dates of birth, medical record numbers, health insurance information and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information and/or prescription information, UMass Memorial Health says.
For affected health plan participants, the information involved included names, subscriber ID numbers and benefits election information. For some individuals, a Social Security number and/or driver’s license number was also involved, the statement says.
“We do not have any evidence that your information was in fact viewed or accessed, only that it was simply contained within an email account that was compromised,” UMass Memorial Health says.
The organization says it has no evidence that any information has been misused, but is offering affected individuals one year of complimentary identity and credit monitoring.
The phishing incident did not affect all UMass Memorial Health patients or health plan participants – only those whose information was contained in the affected email accounts, the statement adds.
UMass Memorial Health says that to prevent similar incidents in the future, it has reinforced education with its staff regarding how to identify and avoid suspicious emails and the organization is also making additional security enhancements to its email environment, including enabling multifactor authentication.
