Perry County Memorial Hospital reported an unauthorized individual gained access to two employee email accounts earlier this year, putting personal information for hundreds of individuals — patients and staff — at risk.
According to Mike Ellis, PCMH’s chief financial officer, the email intrusion was discovered Aug.23. ”It did not come to our attention until a suspicious activity occurred that obviously was not from this person — this email — that was compromised,” Ellis told the Republic-Monitor on Tuesday. “Right away, we looked into it and realized that an e-mail account had been compromised and we shut it down immediately.”
That first intrusion led investigators to a second email account that had been accessed. According to the hospital, both accounts may have contained personal information for more than 500 individuals.
Chris Wibbenmeyer, the hospital’s interim CEO, stressed that the intrusion was limited to the two employee email accounts and did not affect PCMH’s medical, billing or human resources records systems. As of Tuesday, the hospital had not received any report of identity theft as the result of the intrusion.
According to a news release issued by PCMH on Tuesday — after speaking with the Republic-Monitor — the hospital began notifying the affected individuals on Oct. 22, a process that is still ongoing, along with the investigation.
“We needed enough time to actually investigate and analyze and come up with the list [of individuals affected],” Ellis said. “We didn’t know the extent of this until we got in there and really looked at it in detail. There are deadlines that we have to meet. When you find it, you have a certain amount of time to report it and do something about it and we were within those timelines.”
Administrators said the investigation included an extensive document review process to determine whether individual names or other sensitive data were located within any of the emails that may have been affected. So far, the hospital said, the information potentially involved was full name, date of birth, diagnoses/diagnostic codes, internal patient account numbers, provider names, and other health information. In a limited number of instances, social security numbers, Medicare/Medicaid numbers, and health insurance information may have been in the affected email accounts.
Anyone whose information might have been compromised will not necessarily have all of these types of information involved, the hospital said, but perhaps only a few of them.
“We have not had any collateral damage, if you will, but we need to alert everyone, just in case they see suspicious activity,” Ellis said.
The intrusion, Ellis said, was not the result of a phishing attack — in which a hacker includes a fictitious or malicious link in an email designed to either garner information or launch a malicious program — but rather a brute force attack, in which the intruder essentially hammers the account with multiple access attempts until they finally get through.
“This is not because of some phishing scheme where one of our employees clicked on some ad or clicked on a link or clicked on an attachment,” Wibbenmeyer said. “This wasn’t anything that was anyone’s fault.”
Looking ahead, Ellis said the hospital has already taken steps to try and make sure a similar intrusion doesn’t happen in the future.
“This is the first brute force attack we’ve seen,” Ellis said, “but it’s not uncommon in the healthcare field. “We always learn from these instances. There are a couple of things that we changed to make it even more difficult for e-mails from the outside to come in, and then we’re going to beef up our education about clicking on suspicious things, even though this was not a phishing attack. We’re going to double down on the number of education sessions [our staff] has to attend.”
According to the United States Department of Health and Human Services, 692,490 individuals were affected by data breaches at 35 different healthcare organizations in October.
On Oct. 28, the FBI, the HHS and the Cyber Security and Infrastructure Security Agency under the Department of Homeland Security issued an advisory outlining how phishing emails can distribute ransomware and warning hospitals that malware can exist in the system for a period of time before disrupting IT networks.
According to Tuesday’s release, PCMH is setting up a toll-free call center to answer questions, which will be available for 90 days beginning Oct. 22.
Those concerned that their information might have been involved in the incident are encouraged to call 1-888-768-6008 from 9 a.m.-4 p.m. Monday through Friday, excluding holidays, to verify details and obtain additional information.
