Rutland Regional Medical has revealed that a hacker compromised nine employee email accounts following a cyber attack on their systems.
Rutland Regional Medical, based in Rutland City, is the biggest community hospital in Vermont. A staff member discovered the attack on December 21, 2018, after noticing that their email account had been hijacked to send a large number of spam emails.
Rutland Regional Medical’s IT department was informed of the breach on December 28, 2018. Following some investigative work, on December 31 the IT department discovered that an unauthorised individual had remotely accessed that the staff member’s email account.
The IT staff blocked the hacker’s access to the email account. Rutland Regional Medical contracted a third-party forensic specialist to launch a full investigation into the causes and scope of the breach. The investigation is still ongoing, but the investigators are intermittently releasing results. On February 6, 2019, Rutland Regional Medical stated that the hacker had compromised nine email accounts between November 2, 2018, and February 6, 2019.
The investigators have stated that the types of information that individual may have accessed include names, dates of birth, contact details, patient identification numbers, medical record numbers, financial data, diagnoses, treatment information, Social Security numbers, and health insurance data. The breach was restricted to email accounts. The hacker did not access the EMR system or other internal systems during the breach.
Following HIPAA’s Breach Notification Rule, Rutland Regional Medical is sending notification letters to affected patients.
Rutland Regional Medical has stated that it has taken measures to improve its cybersecurity framework. These measures include implementing safeguard to enhance email security to help prevent additional breaches of this nature.
Rutland Regional Medical has reported the breach to the Department for Health and Human Services’ Office for Civil Rights (OCR). The breach portal states that the breach affected 72,224 patients.
Claudio Fort, President, and CEO of Rutland Regional Medical told Rutland Herald “There’s no doubt about it, that’s a very high number. We’re very concerned about that, It’s a limited amount but still, even the fact of identifying whether someone was a patient here at the hospital, we consider it a HIPAA (Health Insurance Portability and Accountability Act) security incident, and we take that very seriously.”