Summa Health suffered data breach compromising patients’ information

• The healthcare organization said that two employee email accounts were accessed in August 2018, and another two employee email accounts were accessed between March 11 and March 29, 2019.
• The compromised email accounts contained patients’ personal information for over 500 patients including names, dates of birth, medical records, patient account numbers, clinical and treatment information.

Summa Health suffered a data breach incident after some of its employees had their email accounts compromised in a phishing attack.

The big picture

On May 01, 2019, Summa Health became aware that an unauthorized third-parties gained access to some of its employees' email accounts.

The healthcare organization said that two employee email accounts were accessed in August 2018, and another two employee email accounts were accessed between March 11 and March 29, 2019.

Upon discovery, Summa Health secured the compromised email accounts and hired a forensic firm to conduct an investigation into the incident.

What information was involved?

• The compromised email accounts contained patients’ personal information for over 500 patients including names, dates of birth, medical records, patient account numbers, clinical and treatment information.
• The email accounts also contained Social Security numbers and driver’s license number for a limited subset of patients.

What are the security measures taken?

• Summa Health is providing training for its employees on privacy and security.
• It is also implementing additional security measures in order to avoid such incidents from happening in the future.
• Further, the health system is notifying the potentially impacted individuals about the incident and is requesting them to review statements from their healthcare providers and health insurers.
• It is providing free credit monitoring and identity protection services for patients whose Social Security number or driver’s license number were compromised.

“If they see services that the patient did not receive, they should contact the provider or insurer immediately. For eligible patients whose Social Security number or driver’s license number was found in the email accounts, Summa Health is offering complimentary credit monitoring and identity protection services,” a spokesman for the health system said, Cleveland reported.