Pawnee County Memorial Hospital notifies 7,038 patients after employee email account compromised by phishing attack

Pawnee County Memorial Hospital in Nebraska recently notified 7,038 patients of a malware incident affecting protected health information.

According to their substitute notice, reproduced below, on November 29, the hospital discovered that when an employee opened an email attachment from what had appeared to be a trusted source, malware was injected.  The malware gave the attacker access to the employee’s account from November 16 – 24. Protected health information in the account included

full name and one or more of the following: address, date of birth, date(s) of service, medical record number, clinical information (for example, diagnoses and lab results), insurance information, and driver’s license/State ID number. For some individuals, the information also included Social Security Number.

PCMH has arranged for a one-year enrollment in an online credit monitoring service (myTrueIdentity) provided by TransUnion Interactive for those affected.

2211025 v1 NAS Pawnee Substitute Notice for Website

About the author: Dissent