Centura Health has revealed that an email security incident has resulted in the protected health information (PHI) of 7,515 patients being compromised.
Centura Health, based in Centennial, Colorado, discovered the breach on April 16, 2019. IT security staff immediately took steps to secure the account and revoke unauthorised access. An investigation was launched into the incident to determine the extent of the breach and how the hacker gained access to the account.
The investigation concluded that the hacker may have been able to access emails and email attachments during the window in which they had access to the account. However, they stated that there was no firm evidence that the hacker had accessed, downloaded, or used the PHI. However, the investigators could not firmly rule out these possibilities, and Centura Health decided to alert patients of the incident. Per HIPAA’s Breach Notification Rule, notification letters were sent on May 22, 2019.
The files affected by the breach included information such as patient names, dates of birth, demographic information, medical record numbers, account numbers, dates of services, treating physician, services received, medical device supplied, and other clinical information. The hacker could not access Social Security numbers, financial information, or health insurance information.
In a statement, Centura Health declared that they had implemented new policies and procedures to mitigate the risk of a future breach of a similar nature. They have also started to re-educate their workforce on email security and the risk posed by phishing attacks. They have also established ‘strong password’ policies and generally strengthening email security protections.