Northwood, a Michigan HIPAA business associate, has notified more than 15,000 patients that a hacker had gained access to an employee's email account and potentially viewed their protected health information, according to the HIPAA Journal.
The company learned that an unauthorized third party had gained access to the employee's email account from May 3-6. There is no evidence that the information stored in the email account has been misused.
Upon investigation, Northwood determined that patients' protected health information had been exposed. Information found in the email account included names, addresses, dates of birth, provider names, dates of service, medical record numbers, patient ID numbers, diagnoses and diagnosis codes, medical device descriptions, treatment information, and health plan membership numbers. Northwell also disclosed that a small number of patients' Social Security numbers, driver's license numbers and health insurance provider names were also exposed.
Since the data breach, Northwood disabled the compromised email account. All employees were required to reset their passwords. Northwood also provided additional training to employees to help them identify email threats.