Pawnee City, Neb.-based Pawnee Country Memorial Hospital is notifying 7,175 patients that some of their protected health information may have been exposed when a hospital employee was tricked by a phishing email in November 2018.
An investigation determined that a hospital employee fell victim to a malicious email that appeared to be from a trusted source. By clicking on an attachment in the email, the employee unintentionally gave unauthorized personnel access to PCMH email accounts between Nov. 16 and Nov. 24, 2018.
While the attackers did not gain access to the hospital's EMR or patient portal, emails stored in the accounts may have included business reports, clinical reports and summaries, and other documents with PHI, such as addresses, dates of birth, dates of service, medical record numbers, insurance information and driver’s licenses. A limited number of Social Security numbers may have also been compromised.
Since the phishing attack, PCMH reset all of its employees’ email account passwords, and the hospital continues to work with experts to enhance technology safeguards. PCMH also mailed letters to all affected individuals that include steps to prevent medical identity theft or fraud.
In a statement to Becker's Hospital Review PCMH CEO Ruth Stephens said, "We take the healthcare information of our patients very seriously. We have gone through every step we can to make sure that they are protected going forward."
Editor's note: This article was updated at 3 p.m. to include a statement from the hospital.