An email phishing incident at Palmetto Health resulted in unauthorized access to certain employee email accounts, potentially affecting protected health information.
The Pensacola, Fla.-based system is notifying 23,811 patients that an apparent attempt by a hacker to gain access to payroll information may have also impacted their health information.
Patients of Palmetto Health, which recently merged with Greenville Health System to become PRISMA Health, could be affected by the breach if protected health information within employee emails was compromised.
“Upon discovery, we blocked the unauthorized access and then engaged outside technical experts to investigate the incident thoroughly to evaluate the full nature and scope of the access,” according to a notification letter from the organization.
“These experts determined that unauthorized access may have first occurred this past November,” the letter noted. “They also searched to determine whether sensitive data was located within any of the potentially accessed emails. These same emails were also (manually) reviewed to obtain names and mailing addresses for use in notification.”
Also See: Security woes increasingly sting the healthcare industry
By mid-February, Palmetto Health learned of the names of persons whose information was in the email accounts. Along with patient names, the emails contained information used in treatment or consultation, and some emails contained Social Security numbers and insurance information.
“While we have no evidence that any patient information contained in the affected email accounts has been used inappropriately, we are offering one year of complimentary identity theft protection services to those whose financial data could have been accessed,” Palmetto Health told patients, who also were advised to monitor account statements and credit reports, and report any discrepancies to law enforcement.
Palmetto executives say the incident in no way affects the recent merger or any plans for the future of the organization. Palmetto Health offered affected patients one year of identity theft protection services from Experian.
Reprints and licensing
For reprint and licensing requests for this article, click here.