The phishing attack happened on March 10 after an employee provided network login credentials to the malicious email. CTCA was alerted to the breach the following day and changed the password of the employee’s account.
Although the account was accessible for less than two days, the hacker may have been able to view patients’ names, addresses, medical record numbers, government identification numbers, health insurance information and some medical information. No Social Security numbers or financial information was affected, reports the HIPAA Journal.
This is the second phishing attack to expose CTCA patients in the past six months. A December 2018 data breach exposed the protected health information of 41,948 patients.
Patients who were affected in the March 2019 data breach have been told to monitor their explanation of benefits statement and other account statements.
Editor’s note: This stroy was updated on June 4. An orginial version of this article referred to Southeastern Regional Medical Center as Southern Regional Medical Center.
More articles on cybersecurity:
Indiana EHR provider agrees to $900K HIPAA violation settlement with 16 states
With 350,000 malware discoveries daily, HP creates partnership to combat cyberattacks
8 HIPAA-related cases 2019
