Beaumont Health, Michigan’s biggest healthcare system, announced the potential compromise of patient data located in email messages and file attachments because unauthorized persons gained access to some employees’ email accounts.
Beaumont Health discovered the email account breach on March 29, 2020. The breach that happened roughly 10 months ago caused the compromise and possible stealing of patient data. According to the results of the breach investigation, unauthorized persons accessed the email accounts from May 23, 2019 to June 3, 2019. Forensic experts investigated the breach to find out the magnitude and extent of the breach, along with manual evaluation of all messages in the breached email accounts. That investigation took a while to finish, thus causing the delay in sending breach notification letters to the patients.
The investigators confirmed that the compromised email accounts hold the protected health information (PHI) of 112,000 people, which is about 5% of Beaumont Health’s 2.3 million patients. The types of data compromised and possibly stolen differed from one patient to another. The name of patients and one or more of these data elements may have been compromised: birth dates, diagnoses, diagnosis codes, types of treatment, treatment areas, procedures, prescription details, internal patient account numbers and health record numbers. The Social Security numbers, as well as the other data of some patients, were likewise possibly compromised. Although the forensic investigators confirmed the access of the email accounts, it was impossible to ascertain whether the attackers viewed or stole patient data.
Because of the breach, Beaumont Health provided additional HIPAA training to the employees to help them identify malicious and phishing emails. Revision of internal procedures has been undertaken and more technical security measures have been put in place to stop other future breaches.
This incident is the second data breach that Beaumont Health announced this year. The first breach was announced in January to 1,182 patients who received notification letters. A former employee accessed the files of car accident patients who got medical treatment. It is believed that the former employee disclosed the patient information to a personal injury lawyer.