IA: Primary Health Care notifies patients after discovering hack of employee email accounts
From their press release, issued yesterday:
Primary Health Care Inc. (“PHC”) is providing notice of an incident that occurred at PHC and may affect the security of protected health information of certain PHC patients. While PHC is unaware of any actual or attempted misuse of the information, this notice contains details about the incident and PHC’s response, as well as steps impacted individuals can take to protect their information, should they feel it appropriate to do so.
What Happened? On March 1, 2017, PHC discovered that the email accounts of four of its employees had been subject to unauthorized access on February 28, 2017. PHC immediately terminated the unauthorized access and began an investigation which included a review of the contents of the email account for protected information. A forensic investigator was hired to confirm the scope of the unauthorized access to the email accounts and the related Google drives. Unfortunately, PHC is unable to confirm what emails within the account, if any, were subject to unauthorized access. Therefore, the forensic investigator reviewed all four email accounts and Google drives to determine what protected health information they may have contained. Though it has no evidence that any emails were subject to unauthorized access, in an abundance of caution, PHC is providing notice to potentially affected individuals.
What Information Was Involved? The information related to patients located in one of the email accounts or Google drives and therefore potentially subject to unauthorized access includes a combination of patient name, phone number, Social Security number, driver’s license number, financial account number, credit/debit card number, date of service, diagnosis and treatment information, medical history, facility and provider visited, health insurance/payor information and, if applicable, Medicaid identification number. PHC currently has no evidence of any actual or attempted misuse of patient information as a result of this incident.
What We Are Doing. The confidentiality, privacy, and security of patient information is one of PHC’s highest priorities. PHC has stringent security measures in place to protect the security of information in its possession. In addition, as part of our ongoing commitment to the security of protected health information in its care, PHC is working to implement additional safeguards and security measures to enhance the privacy and security of information on its systems. PHC is notifying the affected individuals and will be reporting this incident to the U.S. Department of Health and Human Services (HHS).
As an added precaution, PHC has arranged to have AllClear ID provide 12 months of identity protection services starting on the date of the notice to the affected individuals.
What You Can Do. You can review your credit card and bank account statements, explanation of benefits forms and credit reports for suspicious activity. Report such activity to your bank, credit card issuer or health insurance company.
For More Information. PHC understands that patients may have questions about this incident that are not addressed in this notice. If you have additional questions, you can contact the dedicated assistance line PHC has setup at 1-855-303-9813.
PHC sincerely regrets any inconvenience this incident has caused.
SOURCE Primary Health Care Inc.