Health hacking: About 25,000 patients’ data exposed
A hacker got access to an emailed discussion about patients in the North Country who missed a health screening, leading to a massive breach-of-data warning.
About 25,000 patients were on a “gap in care” spreadsheet, identified in a variety of ways. Some were named with their birth date, some had Social Security numbers, and some had a Medicare or health insurance number included.
All of them were exposed to the hack of an Adirondacks Accountable Care Organization email inbox. However, officials don’t know if the hacker actually looked at the spreadsheet. It was the only item in the email account with private data, said Gregory Daniels, chief compliance officer for the Adirondacks ACO, “There’s no way to know if anything was actually viewed,” he said.
Adirondacks ACO is a Plattsburgh-based agency that analyses health data for the entire region. All the Adirondack region’s hospitals and most medical groups use Adirondacks ACO for analytics, including those run by Adirondack Health, the University of Vermont Health Network, Glens Falls Hospital and Hudson Headwaters Health Network.
“The incident did not affect all Adirondack Health patients, but only some patients who had information contained in the affected email account,” Adirondack Health wrote in a message posted on its website.
“We asked the ACO to mail letters to those of our patients whose information was identified in the account.”
The agency started sending out 20,000 letters last week to notify each patient of the data breach. On Friday, 5,000 more letters were sent out, and a few more remain.
It’s taken time to track down addresses for each patient, Daniels said.
Those who have questions about the data breach should call 1-877-347-0178 from 9 a.m. to 9 p.m., Monday through Friday.
Adirondacks ACO will pay for credit monitoring and identity protection for those whose Social Security numbers were included on the spreadsheet.
Patients should review any medical bills or insurance company “explanation of benefits” statements to make sure they are not billed for services they did not receive. If they see questionable services, they should contact their health insurer or the medical provider immediately.
The incident started with two employees discussing data about patients who missed a baby wellness exam and other screenings. It was part of a “population health” analysis, Daniels said.
They were going to send the information to physicians in the network, who could decide how to contact their patients.
Then a hacker from outside the country accessed the email account. It was not a phishing attack, where an employee clicks on an email that appears to be legitimate but unintentionally opens a way for a hacker to access the system.
“I don’t think it’s something the employee could have avoided,” Daniels said.
However, the employees could have kept the spreadsheet out of emails.
“Policies are being changed,” Daniels said.
The email account was hacked between March 2 and 4, and was discovered by the Champlain Valley Physician’s Hospital in Plattsburgh on March 4. The account was held by an employee who worked for both the hospital and Adirondacks ACO.
Daniels declined to discuss whether the employee faced any discipline.
The agency notified Glens Falls Hospital of the security breach on May 3 and notified Hudson Headwaters on May 6. Patients began being notified on July 2. Daniels cited the sheer number of patients as the reason for the four-month process, but also noted that he had 60 days to notify the health groups and another 60 days to notify the patients.
Adirondack Health’s website message described the data breach as regrettable and said, “We and the ACO remain committed to protecting the confidentiality and security of our patients’ information.”
The Enterprise staff contributed to this report.