On May 25, 2018, Aultman Hospital submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in Canton, Ohio, Aultman Hospital’s email breach affected 42,625 individuals’ protected health information. Aultman Hospital is classified as a Healthcare Provider.
According to Aultman Hospital’s statement: Vice president of compliance and audit for Aultman Health Foundation, Tim Regula, says the breach happened after they noticed an increase in phishing emails to hospital accounts earlier in the year. Regula says in this case the emails asked employees to open an electronic document they were told needed their signature. "Unfortunately, a few of our employees fell victim to that and clicked on them and maybe entered some information; we are not sure what, but that's our best suspicion is that's what started it," said Regula. Regula said although a small number of accounts, as few as eleven, were compromised, the breach gave the sender access to other emails that may have contained sensitive information. "There was patient information; there was social security numbers, driver's license, medical record numbers. Some of them had chief complaint or a doctor's name and so, like I said, it was bits and pieces of all of those or just maybe one of them," said Regula. The hospital says the access was limited to a specific email account and did not compromise electronic medical records or other sensitive data. “We take patient privacy very seriously, so we deeply regret that this occurred,” said Regula in the release. According to the release, the amount of data that could have been accessed varied for each patient. Aultman said there is no indication that any of the information in the email accounts has been inappropriately used by anyone. “We understand that a threat to one’s personal data can be upsetting, and we apologize for this breach,” Regula said. “We are making it a top priority for our organization and are assigning resources and staff to this issue to help those patients affected by this incident. We want to make sure they do everything they can to protect their personal information. If you have any questions about this incident, please call our dedicated assistance hotline.” Aultman, meanwhile, said it has taken steps aimed at preventing any future incident. That includes taking steps to change how patient information is stored and protected, and enhancing security procedures related to use of email. Specific changes include resetting account passwords and making them longer and more complex; adding security features to email accounts and strengthening security monitoring; and continuing training to help staff avoid the methods unauthorized individuals use to gain access to the emails.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.