More than 1,000 Essentia Health patients may be among those victimized in a large-scale data breach, the health system announced Wednesday.
Nemadji Research Corp., a health data management business based in Bruno, Minn., fell victim to a phishing attack earlier this year that allowed outside access to medical information to 14,591 patients, the Los Angeles Times reported on Tuesday.
In a news release, Essentia Health said it has notified its patients whose information may have been compromised. Essentia formerly contracted with Nemadji to assist with billing services, according to the news release, but no longer does so.
“Essentia Health is not aware of any actual or attempted misuse of this information, but as a trusted health care provider, it is important to us that our patients are made aware of this disclosure so they can take steps to protect themselves,” the news release stated.
In the event of a breach, health care providers are required under HIPAA to notify affected individuals, the U.S. Department of Health & Human Services; and, in some cases, the news media.
All of the affected patients are being offered free credit-monitoring services, the news release added.
Essentia Health had provided Nemadji with information about some of its patients to “ensure prompt and appropriate delivery of these services,” it stated.
In a statement on its website, Nemadji said it identified “unusual activity” in an employee’s email account on March 28 and turned to a computer forensics expert to investigate. The investigator found that someone had access to the employee’s email account for several hours on that date after the employee fell victim to a phishing email.
On June 5, the company identified the first instance in which personal information “may have been accessible,” and began notifying its clients, the website announcement stated.
The data breach goes far beyond Essentia. The Los Angeles Times reported, for example, that thousands of patients of Los Angeles County’s hospitals and clinics may have been affected.
Exposed data in Los Angeles County included patient names, addresses, dates of birth, medical record numbers and Medicaid identification numbers, the Times reported. In two cases, patients’ Social Security numbers were revealed.
To learn more
Although letters were mailed to all patients who were impacted by the data breach, Essentia Health said those with questions may call (218) 786-6404 between 8 a.m. and 4:30 p.m. Monday through Friday.