Children’s National Health System notified 18,000 patients after employees fell for phishing scheme
From the Children’s National Medical Center web site:
At Children’s National Health System (Children’s National), protecting the security and confidentiality of patient personal and medical information is of the utmost importance. Regrettably, this notice concerns an incident involving some of that information.
On December 26, 2014, Children’s National learned that certain employee email accounts had been potentially exposed in a way that may have allowed hackers to access information contained in those email accounts. This was a result of employees having received “phishing” emails and responding believing they were legitimate. This may have created an opportunity for unauthorized access to these individual email accounts from July 26, 2014 to December 26, 2014.
When we learned of this, we secured the affected email accounts and began an investigation into the phishing attack on our organization, including hiring an outside expert forensics firm. Through a comprehensive review of the affected email accounts, we determined that the information contained in the emails may have included patient demographic information such as names, addresses, dates of birth, and telephone numbers, and may have also included clinical information such as diagnoses, treatment received, medical record numbers, medical service codes or health insurance information. In a small number of instances, Social Security numbers were included. We reported the phishing attack to federal law enforcement and continue to work with them in their investigation.
Importantly, neither patient charts nor our electronic medical records system were compromised. Only the discrete information contained in the email accounts was potentially affected.
We have no evidence that this information in the emails has been misused or even accessed. However, in an abundance of caution, we began sending letters to affected patients on February 24, 2015, and have established a dedicated call center to answer questions patients may have. If you believe you are affected but do not receive a letter by March 15, 2015, please call 1-800-768-5812, Monday through Friday, between 9:00 am and 9:00 pm Eastern Time.
We recommend that affected patients regularly review the explanation of benefits statement that they receive from their health insurer. If you identify services listed on your explanation of benefits that you did not receive, please immediately contact your insurer.
We deeply regret any inconvenience this may cause you. To help ensure that a similar issue does not happen in the future, Children’s National has re-enforced the educational training our staff receive regarding “phishing” or suspicious emails. We have also implemented enhancements to our existing technical safeguards and initiated a review of our systems to further protect patient information.
The incident was added to HHS’s public breach tool. The entry indicates that 18,000 were affected or notified.