Email compromise at FHN thought to have resulted in loss of patients’ PII
A data breach at Illinois healthcare organization FHN has likely exposed patients’ personal information.
The incident, described as an “email compromise” by FHN, may have disclosed personally identifiable information (PII) including names, dates of birth, Social Security numbers, and health insurance information.
An unauthorized party gained access to employee email accounts on February 12 and 13, FHN said in a statement.
After detecting “suspicious activity” within email accounts, FHN called in a cybersecurity team to conduct an investigation.
The statement read: “The investigation was unable to determine whether the unauthorized person actually viewed any emails or attachments in the accounts.
“Out of an abundance of caution, we reviewed the emails and attachments contained in the email accounts to identify patient information that may have been accessible to the unauthorized person.”
FHN stated that “not all” patients were affected. However, it has not confirmed how many records might be at risk.
The Daily Swig has reached out to FHN for more information to clarify this issue.
Potentially affected people have been notified by letter, FHN said.
The company is also offering free credit monitoring software to the patients who may have been involved.
“We also recommend that affected patients review any statements they receive from their health insurers and health care providers,” FHN added.
YOU MAY LIKE Anatomy of a healthcare data breach dissected
“If patients see charges for services not received, they should contact the insurer or provider immediately.”
The healthcare organization said it is reviewing its security practices, providing security awareness education for employees, and enforcing protections such as multi-factor authentication measures.
Established in 1902, FHN operates the FHN Memorial Hospital in Freeport, Illinois, along with several regional family healthcare centers across the midwestern state.
Under Illinois’ data breach notification laws, a leak affected more than 100 residents must also be reported to the attorney general. The authorities must be informed before the consumer, the law states.