Milwaukee-based Medical College of Wisconsin is notifying 9,500 patients to a potential breach of their sensitive information after some faculty and staff members fell victim to a spear phishing attack targeting their email system, a hospital spokesperson confirmed to Becker's Hospital Review.
An unauthorized third party accessed a limited number of email accounts between July 21 and July 28 belonging to MCW employees, compromising patients protected health information. Patients' names, home addresses, dates of birth, medical record numbers, health insurance information, dates of service, surgical information, diagnosis and condition and treatment information were contained in the email accounts. Social Security numbers and bank account information for a small number of patients were also affected.
After discovering the incident, the hospital disabled the accounts and mandated password changes to those compromised. MCW completed an investigation Sept. 20, but to this date, is not aware of any reports of identity fraud, theft or improper use of the information.
MCW is advising affected patients on best practices to protect their information, including reviewing statements they receive from health insurance providers. It is offering credit monitoring and identity theft restoration services to those whose Social Security numbers were potentially exposed.