Phishing Scam resulted in The Release of Personal Health Information
Who: Palmetto Health
# of Accounts Breached: 23,811 Patients
What was affected: Personal Health Information
When it happened: November 2018
How it happened: Palmetto Health is notifying individuals of an email phishing incident that resulted in unauthorized access to individual email boxes. The incident was limited to certain employee email accounts and did not affect our medical record systems. We believe the purpose of unauthorized access was to gain access to payroll information.
Outcome: Upon discovery, we blocked the unauthorized access and then engaged outside technical experts to investigate the incident thoroughly to evaluate the full nature and scope of the access. These experts determined that unauthorized access may have first occurred this past November. They also searched to determine whether sensitive data was located within any of the potentially accessed emails. These same emails were also hand reviewed to obtain names and mailing addresses for use in the notification.
Palmetto Health values the safety and security of patient and employee information and is continuing to take steps to enhance its security measures to help prevent something like this from happening in the future. We have attempted to notify by letter those patients for whom we had mailing addresses. While we have no evidence that any patient information contained in the affected email accounts has been used inappropriately, we are offering complimentary identity theft protection services to those whose financial data could have been accessed. We recommend affected persons remain vigilant and monitor account statements and credit reports carefully and report discrepancies to law enforcement. Fraud alerts and security freezes also can be activated to help protect individuals.