On October 12, 2018, Catawba Valley Medical Center submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in Hickory, North Carolina, Catawba Valley Medical Center’s email breach affected 20,000 individuals’ protected health information. Catawba Valley Medical Center is classified as a Healthcare Provider. According to this report about Catawba Valley Medical Center’s breach:
On August 13, 2018, Catawba Valley Medical Center (CVMC) in Hickory, NC discovered an unauthorised individual accessed the email account of a CVMC employee. Upon discovery of the email breach, steps were taken to secure the account and prevent further access and a third-party computer forensics firm was called in to assist with the investigation and determine the extent of the breach. That investigation revealed that between July 4 and August 17, 2018, three employees’ email accounts had been compromised after the employees responded to phishing emails. Some of the emails in those accounts contained patients’ protected health information including names, dates of birth, details of medical services received at CVMC, health insurance details, and for certain patients, Social Security numbers. No evidence was found to suggest that any emails had been accessed or copied and no information has been received to suggest patient health information has been misused in any way. The phishing incidents have prompted CVMC to hire security experts to enhance employee education, more robust email security controls have been implemented, and CVMC will continue to upgrade hardware and software as appropriate to repel malicious threats. All patients whose protected health information may have been compromised as a result of the email account breaches were notified by mail on October 12, 2018. The breach summary on the HHS’ Office for Civil Rights’ breach portal indicates up to 20,000 patients have potentially been affected by the email account breaches.