The personal and medical information of 49,351 patients was exposed after a malicious actor gained access to two employee email accounts as disclosed by Minnesota-based Alomere Health.
Alomere Health is a community-owned and non-profit general medical and surgical hospital in Alexandria with 127 beds. It has been twice named as one of the Top 100 hospitals by Thomson Reuters. Alomere Health is accredited by the Healthcare Facilities Accreditation Program (HFAP), has a level III trauma centre.
On November 6, 2019, the IT staff discovered that an employee’s email account was accessed by at least one unauthorized third party between October 31 and November 1, 2019. The hospital started notifying impacted patients on January 3, 2020.
Soon after securing the breached account and starting an investigation with the help of forensic security outfit, Alomere Health found that a second employee’s email was breached on November 10.
There is no indication that any information was removed from the email accounts or that patient information has been misused.
The exposed data includes names, addresses, date of birth, medical record numbers, health insurance information and diagnosis information and/or treatment information. A limited number of patients also had their Social Security numbers and driver’s license numbers exposed.
Alomere Health is going to offer free credit monitoring and identity protection services to affected patients.
“The Minnesota-based hospital advises customers who received an email notification regarding this security breach to ‘review any statements they receive from their health insurers or healthcare providers’ and contact them immediately if they discover anything it of place like services that they did not receive being billed,” stated Bleeping computer.
The hospital announced to have added additional security measures including staff training in order to prevent future cybersecurity incidents.