Grand River Medical Group is notifying 34,000 patients of a recent hacking incident that allowed an unauthorized individual to access the Dubuque, Iowa-based medical group's computer systems and view their protected health information.
The hacker gained access to Grand River's systems via an employee's email account, and subsequently spreadsheets containing patients' health information. The medical group tapped an outside incident response expert to complete a forensic analysis, which did not find any evidence of data being accessed or downloaded by the intruder. However, Grand River "could not definitely rule such activity out."
The medical group reported the breach to HHS as affecting 34,000 individuals and mailed notice letters to patients from Feb. 8-11. Patient data exposed in the incident included names, Social Security numbers, birth dates, addresses, medications and visit types.
Grand River terminated the hacker's access immediately upon discovering the breach and has since changed all relevant passwords and isolated the compromised account from its system. The medical group is offering all affected individuals one year of free identity theft protection services.