Alomere Health said that it’s begun notifying patients of a security incident that involved the compromise of two employees’ email accounts.
According to a statement posted to its website, Alomere Health began notifying its patients on January 3, 2020 of an email security incident that might have exposed some of their information.
The general medical and surgical hospital located in Alexandria, Minnesota first learned of the incident on November 6, 2019. At that time, Alomere officials discovered that an unauthorized individual had gained access to a hospital employee’s email account in late-October/early-November.
In response to the incident, Alomere Health launched an investigation with the help of a computer forensic firm to determine what happened. This effort revealed that attackers had compromised the email account of another employee on November 6, 2019. It also uncovered that malicious actors might have accessed some patients’ information including their names, dates of birth, medical record numbers and health insurance information contained within emails stored on those accounts.
Per the statement, hospital officials believe that the incident possibly affected the Social Security Numbers and driver’s license numbers for a small number of patients.
After securing the affected employees’ email accounts, Alomere Health began notifying patients of the incident. It said it would be offering complimentary credit monitoring and identity protection services to them. It also clarified that it was taking steps to prevent similar incidents from occurring in the future.
As quoted in its statement:
We regret this unauthorized action occurred and that it may cause inconvenience for our patients. To lessen the likelihood this occurs in the future, we have put in place additional security measures for all of Alomere Health employee email accounts. It is through these additional layers of security, staff training, and diligence that we will continue to provide high-quality health care, close to home with safety and security.
This event follows on the heels of several other email security incidents that affected U.S. hospitals. Back in October 2019, for instance, the Methodist Hospitals, Inc. revealed that a phishing attack potentially affected the information of approximately 68,000 patients. Later that month, Kalispell Regional Healthcare disclosed that a phishing attack might have exposed patients’ personally identifiable information.
This incident highlights the importance of healthcare organizations educating their employees about some of the most common phishing attacks circulating in the wild. It also emphasizes the necessity of using a solution like Tripwire to maintain their compliance with healthcare regulations like HIPAA.