From the Blog

LMH announces phishing incident

Logansport Memorial Hospital was the victim of a hacking incident that may have resulted in unauthorized access to certain information about the Hospital’s patients. On February 22, 2019, the Hospital became aware that an employee email account had been compromised through what is known as a phishing attack, where a malicious actor sought to obtain the employee’s username and password through a fake email that requested the employee to provide those credentials for a seemingly legitimate purpose. The Hospital immediately took steps to secure the account and ensure that the unauthorized actor no longer had access to it.

The Hospital initiated an investigation and learned on or about March 18, 2019, that the compromised email account contained patient protected health information. Since then, the Hospital has worked to identify the individuals and information potentially affected by the breach. While the Hospital’s investigation was not able to definitively conclude whether the unauthorized actor actually accessed or obtained a particular individual’s information, it would have been possible for the unauthorized actor to access and obtain patient information that was in the compromised employee email account.

The information potentially accessed by the unauthorized actor was primarily in the form of surgical schedules that were sent daily to the Hospital employee for use in legitimate job functions and spreadsheets for use in clinical data reporting. The potentially compromised information included some or all of the following: patient name, date of birth, age, medical condition/diagnosis, allergies, phone number, medical record number, name of surgeon, and date/time of surgery/service. It is important to note that, for nearly all of the affected individuals, the information did not include any personal financial information, such as social security number or credit card information. However, for a small portion of the affected individuals, the information did include social security number.

This incident did not involve or affect the security of the Hospital’s electronic medical record in any manner, and at no point was the Hospital unable to access the information needed to provide high quality health care services to patients.

The Hospital sent letters to each of its affected patients to inform them of this incident and to identify the steps that patients can take to protect themselves from the potential misuse of this information. The Hospital sent an initial batch of letters on April 23, 2019 and another batch of letters on May 23, 2019 after it realized that not all affected individuals had received the initial notice. For any individuals whose information included a social security number, the letter they receive will specifically state this and the Hospital is offering them two years of free credit monitoring services to help alleviate any privacy concerns they may have. Whether an affected patient’s information was one of the few that included social security number or not, the Hospital suggests that patients who are concerned about their information consider contacting the three credit reporting agencies to place a fraud alert on their credit reports, and to monitor medical records and health insurance claims information for any indications of medical identity theft.

The Hospital has reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights, which is the federal agency that oversees the privacy and security of patient protected health information.

Logansport Memorial Hospital deeply regrets that this incident occurred. The Hospital is committed to providing quality care and protecting PHI. The Hospital has established a call center to answer any questions that patients may have about this incident. Patients may contact the call center at (855) 424-2570 between 9 a.m. and 9 p.m. Eastern time, Monday through Friday.

TOPICS: News