Upstate NY Health Hacking Incident Exposes Data of 25,000 Patients
A hacker gained access to an emailed discussion about upstate NY patients who missed a health screening, leading to a massive breach-of-data warning.
About 25,000 patients were on a “gap in care” spreadsheet, identified in a variety of ways. Some were named with their birth date, some had Social Security numbers, and some had a Medicare or health insurance number included.
All of them were exposed to the hack of an Adirondacks Accountable Care Organization email inbox. However, officials don’t know if the hacker actually looked at the spreadsheet. It was the only item in the email account with private data, said Gregory Daniels, chief compliance officer for the Adirondacks ACO, “There’s no way to know if anything was actually viewed,” he said.
Adirondacks ACO is a Plattsburgh-based agency that analyses health data for the entire region. All the Adirondack region’s hospitals and most medical groups use Adirondacks ACO for analytics, including those run by Adirondack Health, the University of Vermont Health Network, Glens Falls Hospital and Hudson Headwaters Health Network.
The agency started sending out 20,000 letters last week to notify each patient of the data breach, as reported by the Adirondack Daily Enterprise. On Friday, 5,000 more letters were sent out, and a few more remain.
The incident started with two employees discussing data about patients who missed a baby wellness exam and other screenings. It was part of a “population health” analysis. They were going to send the information to physicians in the network, who could decide how to contact their patients.
Then a hacker from outside the country accessed the email account. It was not a phishing attack, where an employee clicks on an email that appears to be legitimate but unintentionally opens a way for a hacker to access the system.
The email account was hacked between March 2 and 4, and was discovered by the Champlain Valley Physician’s Hospital in Plattsburgh on March 4. The account was held by an employee who worked for both the hospital and Adirondacks ACO.
Adirondacks ACO will pay for credit monitoring and identity protection for those whose Social Security numbers were included on the spreadsheet. To protect your business or pratice, contact the HIPAA compliance experts at HIPAAcraticRx.