Personal and medical information of 49,351 patients of Minnesota-based Alomere Health might have been exposed following the compromise of two employees’ email accounts.
Exposed data include names, addresses, dates of birth, medical record numbers, health insurance information and diagnosis and treatment details information. Attackers also accessed Social Security numbers and driver’s license numbers for some patients.
The incident was discovered on November 6, 2019, the IT staff discovered that an employee’s email account was accessed by at least one unauthorized third party between October 31 and November 1, 2019.
The Alomere Health hospital started notifying impacted patients on January 3, 2020.
The hospital launched an investigation with the help of an external forensic firm, and on November 10 the experts discovered that also a second employee’s email was compromised on November 6.
“The investigation was unable to determine whether the unauthorized person(s) actually viewed any email or attachment in either account,” reads the hospital’s breach notification.
“In an abundance of caution, we reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person(s).” “In an abundance of caution, we reviewed the emails and attachments in the accounts to identify patients whose information may have been accessible to the unauthorized person(s). From this review, we determined that portions of some patients’ information were contained in the email accounts.”
The hospital announced to have implemented additional security measures to prevent future incidents, including staff training.