by Brandon Arcari, Vermont Business Magazine Rutland Regional Medical Center suffered a breach to several employee email accounts starting late last year, Vermont Business Magazine has learned, potentially exposing sensitive patient data including names, diagnoses and prescription information. The breach, which occurred between November 2, 2018, and February 6, 2019, was identified by an employee who noticed spam emails sent from their account. On February 6, the medical center confirmed that nine employee email accounts had been compromised, and unauthorized users could have accessed any data contained within those accounts.
Over 72,000 patients may have been affected by the breach, according to a press release, which also stated that 3,683 Social Security Numbers were also vulnerable.
Rutland Regional said in a press release that it has not heard of any instances of personal information being misused as a result of the breach.
The 72,224 patients were notified via US Mail, in a letter dated March 15, 2019, if their information was potentially accessed, though the letter states that Rutland Regional could not confirm whether or not private health information was accessed.
Rutland Regional did not identify in the letter anyone who had unauthorized access, nor did they provide any information regarding potential criminal probes into the breach.
The letter, signed by General Counsel John Wallace, also provided instructions for steps to protect against identity theft. The steps included contacting the three major credit bureaus in the US, TransUnion, Experian, and Equifax, the latter itself having had a significant data breach in 2017.
In the release, Claudio Fort, president and CEO of RRMC, said that the health care system takes the “responsibility to protect personal information very seriously.”
“Information privacy and security remain one of our highest priorities. We apologize for any inconvenience or concern this incident might have caused. We have taken and will continue to take steps to prevent something like this from happening again, including educating staff, reviewing technical controls and implementing additional safeguards and security measures to enhance the privacy and security of our patient information,” Fort said.
A copy of the letter sent to patients and obtained by VBM reads:
" . . . On December 21, 2019, a Rutland Regional employee identified a high volume of spam emails being sent from their [sic] email account. The employee reported this activity to Rutland Regional's IT Department on December 29, 2018. Subsequently, on December 31, 2018, Rutland Regional's IT Department determined the employee's email account was subject to unauthorized access and immediately changed the employee's password and locked the account.
"Rutland Regional, with the assistance of a third-party forensic expert, further investigated this incident. Rutland Regional confirmed on February 6, 2019 that an unauthorized actor or actors had access to nine (9) employees' email accounts at certain times between November 2, 2018 to February 6, 2019. The email accounts included, among other things, data files that contain the types of demographic information that is used for health care billing. On February 21, 2019, Rutland confirmed that your information was impacted. No Electronic Medical Record systems or other Rutland Regional internal systems were affected.
"What Information Was Involved? The information in the email accounts that was potentially subject to unauthorized access and related to you includes your name, diagnosis, treatment information, prescription information, doctor's name, medical record number (MRN) and FIN.
"Rutland Regional cannot confirm whether any specific information within the affected email accounts was actually accessed, viewed, or acquired without permission. We are providing this notification out of an abundance of caution to anyone whose information was accessible within the email accounts...."
A press release about the issue obtained by VBM reads:
Rutland Regional Medical Center (“Rutland Regional”) is providing further information regarding a data security incident that occurred in late 2018 and early 2019. To date, Rutland Regional has not received any reports that personal information has been misused as a result of this incident.
On December 31, 2018, Rutland Regional’s Information Technology Department determined that an employee’s email account was subject to unauthorized access. Rutland Regional immediately started working with a third-party forensic expert to conduct a full system review and further investigate the incident. This investigation found that an unauthorized actor or actors had access to nine employees’ email accounts between November 2, 2018 and February 6, 2019.
The investigation further determined that information pertaining to 72,224 patients was included in the email accounts that were affected. While Rutland Regional cannot confirm whether any specific information within the affected email accounts was actually accessed, viewed, or acquired without permission, the email accounts included among other things, data files that contain the types of demographic information that is used for health care billing such as patient names, contact information and medical record numbers. The information on the email accounts also contained 3,683 social security numbers.
"We take our responsibility to protect personal information very seriously,” said Claudio Fort, President and CEO of Rutland Regional. “Information privacy and security remain one of our highest priorities. We apologize for any inconvenience or concern this incident might have caused. We have taken and will continue to take steps to prevent something like this from happening again, including educating staff, reviewing technical controls and implementing additional safeguards and security measures to enhance the privacy and security of our patient information.”
Rutland Regional has notified the media, the U.S. Department of Health and Human Services and the Vermont Attorney General’s Office. Rutland Regional is providing notice to potentially impacted individuals by way of a notification posted on the homepage of its website, https://www.rrmc.org/, as well as by publishing notice to certain state media outlets and in certain state media publications. Rutland Regional will be mailing notice letters to those individuals for whom Rutland Regional has confirmed mailing address information. Rutland Regional will also be offering credit monitoring as well as credit restoration services if necessary, to those patients whose social security numbers may have been accessed.
Rutland Regional has established a dedicated assistance line for individuals seeking additional information regarding this incident. Individuals may call 1-855-742-6198, 9 a.m. to 9 p.m. ET, Monday through Saturday with questions.