Vermont-based Adirondack Health notified approximately 25,000 patients that their Medical Records and Personal Data were exposed in email hack and may have been obtained by a hacker.
On March 4, 2019, it was discovered that an unauthorized individual had accessed an employee’s email account for two days. After discovering the unauthorized access, Adirondacks ACO began reviews of every email and attachment in the affected employee’s account, looking for any PHI that may have been accessed.
Information in an exposed spreadsheet attached to one email was identified. This spreadsheet contained patients’ names, dates of birth, Medicare ID numbers, health insurance member numbers, as well as limited treatment and/or clinical information. Some patients also had their Social Security numbers listed.
You can read more about this breach in detail through our partner HIPPA Secure Now 25,000 Patients’ Data Exposed in Email Hack.
How Could This Have Been Avoided?
It doesn’t matter how large or small your organization is, most data breaches can be outright avoided.
As we have covered in previous articles such as HIPAA- 5 simple and inexpensive tips to protect patient information and CyberSecurity Fundamentals HIPAA and Cyber Security are complicated and ever changing as hackers are always coming up with new and more inventive ways to break into employee systems such as E-Mail, Workstations and Customer Management Systems.
Many successful attacks are through the use of Phishing and Social Engineering. The IT industry must use multiple layers of protection to minimize and mitigate potential attack points. Some of these layers use hardware known as Edge or Perimeter Devices to identify and deny physical access to a company’s internal office such as badge systems at doorways or Intrusion Detection Systems on Networks connected to the internet while others are software-based solutions on end-user workstations and mobile devices such as End Point protection and Intrusion Prevention Systems.
While effective these alone cannot provide 100% protection to a companies most valuable asset; it patients data. With the use of Email and Phone Phishing as well as other Social Engineering campaigns against some of the most popular Social Media platforms your employees are the single best line of defense when properly trained to Identify, Act and Report potential attacks. This requires training your staff to be aware of what to look out for and providing specific policies and chains of command for reporting such incidences.
What Should You Do?
With so many layers to protect in your company it can be a daunting task to protect any organization large or small, but especially for those small to medium-sized organizations who don’t have the large budgets of an enterprise to employ 24 x 7 In-House IT trained to Plan, Deploy, Manage and Mitigate such attacks, or to have a dedicated HIPAA Compliance officer who specializes in developing a HIPAA-compliant privacy program, developing and ensuring privacy policies to protect the integrity of PHI are enforced, conduct risk assessments and develop HIPAA-compliant procedures where necessary; as well as providing on-going privacy training to employees.
This is where the HIPAA Specialists and dedicated IT Engineers at HI-TEX Solutions provide our clients with the ease of mind knowing we are constantly monitoring and mitigation such attacks using the best technologies the market has to offer both current and cutting-edge. Let our HIPAA Specialists work with your staff to ensure everyone is trained and ready for when your company is targeted. To learn more about our HIPAA Solutions and the IT Support services that we offer at Hi-Tex Solutions, feel free to contact us today.