Adirondack Health Notifies 25,000 Patients of Data Breach That Occurred in March 2019

• It was found that the hackers had gained access to an employee’s email account for two days.
• According to officials, the hack was being controlled remotely from a location outside of the US.

Vermont-based Adirondack Health has begun notifying approximately 25,000 patients of a March phishing attack, which potentially breached a wide range of sensitive data.

What happened?

On March 4, 2019, Adirondacks Accountable Care Organization, which regulates the services of Adirondack Health, discovered unauthorized access to the email account of an employee. It was found that the hackers had gained access to the employee’s email account for two days. According to officials, the hack was being controlled remotely from a location outside of the US.

What data is involved?

The attack may have resulted in the compromise of patients’ names, birth dates, Medicare ID numbers or health insurance numbers and other clinical information. For some patients, Social Security numbers were also compromised in the incident.

An investigation into the emails and contents of the compromised account found that there was one email that contained protected health information. This information was shared with North County patients who had missed appointments for baby health screenings.

The conversation also included a ‘gap-in-care’ analysis spreadsheet with PHI attached to the email. However, it is still unknown if the spreadsheet was accessed by hackers, Adirondack Daily Enterprises reported.

What is being done?

Upon discovery, the healthcare firm had immediately secured the affected account. Since the cyberattack, Adirondack Health has also improved its email policies and procedures for communications that include patient data. All the affected patients will receive free credit monitoring and identity theft services for a year.