Alomere Health says it remains unclear whether patient data was accessed
The operator of a hospital in Minnesota has informed around 50,000 patients that their healthcare records may have been exposed following unauthorized access to two employees’ email accounts.
In a security advisory, Alomere Health of Alexandria said its investigations revealed that one employee’s email account had been compromised between October 31 and November 1, 2019.
The organization, which operates the 127-bed Douglas County Hospital and three smaller healthcare facilities, says it discovered the breach five days later, on November 6.
On November 10, the forensics firm hired by Alomere Health to conduct an investigation detected another breach of a second employee email account, which occurred on November 6.
The organization said it began notifying potentially impacted patients of the breach on January 3.
A listing on the US Department of Health and Human Services website shows that 49,351 patients are being alerted to the incident.
Emails and attachments in the compromised accounts “may have included patients’ names, addresses, dates of birth, medical record numbers, health insurance information, treatment information, and/or diagnosis information”, according to the security alert.
“For a limited number of patients, Social Security number and/or driver’s license numbers were also found in the accounts,” it added.
Alomere says its investigations provided “no confirmation that patient information was actually viewed by the unauthorized person(s), or that it has been misused”.
Nevertheless, patients whose Social Security number or driver’s license number were present within the email accounts are being offered complimentary credit monitoring and identity protection services.
Alomere Health is also recommending that affected clients review any statements they receive from their health insurers or healthcare providers.