An unauthorized person may have breached information in emails belonging to more than 200,000 patients at UMass Memorial Health
Email hack at UMass Memorial Health affects over 200,000 patients
October 29, 2021
by John R. Fischer, Senior Reporter
A data breach at UMass Memorial Health in Worcester, Massachusetts may have compromised the personal information for more than 200,000 patients.
The email hack was perpetrated by an unauthorized person between June 2020 and January 2021, said UMass Memorial Health in an October 15 notice to patients, reported The Telegram & Gazette. "Our investigation to determine the nature and scope of the incident determined on January 27, 2021, that a limited number of UMass employees’ email accounts may have been accessed by an unauthorized person.”
The breach affected 209,048 patients in total. While the health system could not determine how many emails the unauthorized party viewed, it did say that the breach only affected UMass Memorial patients whose information was contained in the accessed emails. For patients, this included names, dates of birth, medical record numbers, health insurance information, clinical or treatment information, prescription information and for some, social security numbers and drivers license numbers.
Health plan participants were also affected, breached data including names, subscriber ID numbers and benefits election information.
UMass Memorial Health has offered free credit monitoring and data protection services to patients whose social security numbers and drivers license numbers were identified in the emails.
"To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails, and are making additional security enhancements to our email environment, including enabling multifactor authentication," said UMass Memorial Health in its notice.
UMass Memorial Health previously informed patients in September 2020 of a breach on Blackbaud, one of its vendors that provides data services. It said that an unauthorized person may have accessed a database there with UMass Memorial information, according to The Telegram & Gazette.
Back in July, more than 22.8 million patients were reported to have fallen victim to healthcare data breaches in 2021 alone. This was a 185% increase from the same time last year, when just 7.9 million patients were affected, according to a report by Fortified Health Security. Providers out of all healthcare entities experienced the most breaches at 73%. Cyberattacks were responsible for 73% of breaches, with unauthorized access or disclosure responsible 22% of the time.
One cancer patient affected by a recent data breach at UC San Diego Health recently hit back at the healthcare provider in September with a class action lawsuit. Denise Menezes, of El Cajon, alleged in her suit that UC San Diego was negligent, breached contract and went against state consumer and privacy and medical confidentiality laws by failing to utilize reasonable security practices and train employees efficiently on how to avoid phishing scams. She also criticized it for taking too long to notify patients and for lacking procedures necessary to quickly identify the intrusion, which took place between December and April.
“Patients should trust that their most private medical results will not be made public, and that their medical visits will not leave them at risk for identity theft,” said San Diego Attorney Jason Hartley at the time.
The email hack was perpetrated by an unauthorized person between June 2020 and January 2021, said UMass Memorial Health in an October 15 notice to patients, reported The Telegram & Gazette. "Our investigation to determine the nature and scope of the incident determined on January 27, 2021, that a limited number of UMass employees’ email accounts may have been accessed by an unauthorized person.”
The breach affected 209,048 patients in total. While the health system could not determine how many emails the unauthorized party viewed, it did say that the breach only affected UMass Memorial patients whose information was contained in the accessed emails. For patients, this included names, dates of birth, medical record numbers, health insurance information, clinical or treatment information, prescription information and for some, social security numbers and drivers license numbers.
Health plan participants were also affected, breached data including names, subscriber ID numbers and benefits election information.
UMass Memorial Health has offered free credit monitoring and data protection services to patients whose social security numbers and drivers license numbers were identified in the emails.
"To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails, and are making additional security enhancements to our email environment, including enabling multifactor authentication," said UMass Memorial Health in its notice.
UMass Memorial Health previously informed patients in September 2020 of a breach on Blackbaud, one of its vendors that provides data services. It said that an unauthorized person may have accessed a database there with UMass Memorial information, according to The Telegram & Gazette.
Back in July, more than 22.8 million patients were reported to have fallen victim to healthcare data breaches in 2021 alone. This was a 185% increase from the same time last year, when just 7.9 million patients were affected, according to a report by Fortified Health Security. Providers out of all healthcare entities experienced the most breaches at 73%. Cyberattacks were responsible for 73% of breaches, with unauthorized access or disclosure responsible 22% of the time.
One cancer patient affected by a recent data breach at UC San Diego Health recently hit back at the healthcare provider in September with a class action lawsuit. Denise Menezes, of El Cajon, alleged in her suit that UC San Diego was negligent, breached contract and went against state consumer and privacy and medical confidentiality laws by failing to utilize reasonable security practices and train employees efficiently on how to avoid phishing scams. She also criticized it for taking too long to notify patients and for lacking procedures necessary to quickly identify the intrusion, which took place between December and April.
“Patients should trust that their most private medical results will not be made public, and that their medical visits will not leave them at risk for identity theft,” said San Diego Attorney Jason Hartley at the time.