Two Wyoming Medical Center employees fell for phishing schemes in February, potentially exposing the information of 3,184 patients, the hospital announced Thursday.
Wyoming Medical Center sent letters to the affected patients Wednesday, said Matt Frederiksen, the Casper hospital’s chief compliance officer.
“We have received some phone calls, but it’s been very generic questions about what’s happened,” Frederiksen said. “Nobody’s made any allegations that their information has been compromised, and there is no credit card notifications that was contained in the email systems.”
Phishing emails are messages that appear to come from legitimate sources — such as a bank, friend or colleague or business — that attempt to acquire sensitive information, such as usernames, passwords, credit card information, e-mail addresses or Social Security numbers.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
The first employee opened a phishing email and clicked on an attached link on Feb. 22. The second employee opened a phishing email three days later.
Frederiksen doesn’t know the identity of the people or group behind the phishing scheme.
They had access to the employees’ emails for 15 minutes, he said. The hospital could tell the email systems had been compromised within minutes because the accounts had sent spam emails to other hospital employees.
“We knew right away,” he said. “We started taking immediate action updating passwords and ensuring the third party was locked out.”
The records in the email system contained patient names, medical record numbers, account numbers, dates of hospital service, birth dates and some medical information, and the hospital characterized the breach as serious in its announcement. However, patients’ addresses, Social Security numbers or insurance information were not in the records.
No evidence indicates patients’ health information was viewed or copied from the compromised email accounts, and the hospital believes that no information was viewed or acquired because of the short time the emails were exposed, said Kristy Bleizeffer, spokeswoman for the hospital.
As part of their job duties, the two employees communicate via email about patients in a general way to vendors doing business with Wyoming Medical Center. For instance, if a patient needs a knee implant, the employees could talk with a vendor who supplies implants to the Wyoming Medical Center. Such emails could contain the type of device and the name of the patient, Frederiksen said.
“They had access to limited patient information,” Frederiksen said. “They never had access to our electronic medical record system.”
It’s taken nearly two months for the hospital to notify the public of the breach.
“We had to go through each individual email to identify which patients this could affect,” Frederiksen said. “That took several weeks to complete. We then had to prepare all of our notifications. We had to also verify because the information that was contained in the email may not have been comprehensive. We had to verify each one against our patient database records and we had to run reports to obtain the (mailing addresses) to do the notification.”
The hospital notified the U.S Department of Health and Human Services Office for Civil Rights, the government agency that oversees health privacy violations.
The hospital will continue to review its email and electronic data policies, Frederiksen said.
“One of the patients affected was Vickie Diamond,” the hospital’s CEO, Bleizeffer said. “She’s not worried about it. We feel like this is very low risk. Much of the information was deep into the email system.”
Date: April 21, 2016