Summa Health is in the process of notifying 10,000 patients of a data security incident which resulted in sensitive data being compromised.
On May 1, 2019, Summa Health, based in Akron, Ohio, noticed suspicious activity on its email platform and immediately investigated the situation. They quickly discovered that an unauthorised individual had gained access to the several employee email accounts and therefore potentially could access sensitive patient data.
Immediate action was taken to revoke the unauthorised access to the email accounts and secure the network.
Summa Health hired a third-party cybersecurity organisation to assist with their breach investigation to determine the extent of the breach when the hacker first gained access, and whether the integrity of patient data was compromised during the incident.
The investigators determined that that two employee email accounts had been compromised in August 2018, with a further two accounts compromised on March 11 and March 29. The hacker gained access to the accounts by fooling employees into handing over their login credentials through a phishing campaign.
The investigators further confirmed that hacker could potentially have viewed or exfiltrated protected health information (PHI) while they still had access to the accounts. While the investigators could not find definitive evidence to suggest any patient information was viewed or stolen, but the possibility could not be ruled out. As a result, Summa Health decided to treat the incident as a HIPAA data breach.
The types of information that were stored in the email accounts were limited to names, dates of birth, patient account numbers, medical record numbers, and some clinical and treatment information. A small subset of patients also had their Social Security number or driver’s license number exposed.
In accordance with HIPAA’s Breach Notification Rule, Summa Health notified the Department of Health and Human Services’ Office for Civil Rights. In total, 10,893 patients were affected by the breach. Summa Health is also sending breach notification letters to all affected patients.
Summa Health has stated it intends to implement additional security measures to prevent further email security breaches. It also intends to introduce a thorough employee training program to educate their staff on the threat of phishing emails, with additional training on the importance of patient privacy and security.