On June 29, 2018, Hunt Memorial Hospital District submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Located in Greenville, Texas, Hunt's email breach affected 1,887 individuals’ protected health information. Hunt Memorial Hospital District is classified as a Healthcare Provider. According to this report:
On May 1, 2018, Hunt learned that an unauthorized user accessed its Home Health email system through the email account of an employee of Hunt Regional Home Health and sent an email to certain internal users of Hunt’s email system. Although email did not contain any patient protected health information, Hunt was unable to definitively rule out whether the unauthorized user otherwise accessed protected health information while in the system.
By having access to the email system, it is possible that the unauthorized user could have had access to personal information of Hunt’s Home Health patients whose information was accessible by the Hunt employee whose email account was compromised. Hunt has reported this incident to the FBI and will fully cooperate with its investigation. Hunt recently sent letters to those patients who may have been affected by this incident.
Although there is no evidence indicating that patients are at risk for identity theft, the letters informed those patients that Hunt is offering them identity theft protection services through ID Experts® to provide them with MyIDCareTM.
MyIDCare services include: Twelve months of credit monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials, and fully managed ID theft recovery services.
More information can be found in the letters provided to those patients who may have been affected. A variety of administrative, physical, and technical security measures were in place prior to this incident.
After the incident, Hunt has taken steps such as reviewing its policies and procedures and retraining our employees on the proper handling and protection of login credentials to prevent mistakes such as this from occurring in the future. Hunt continues to assess its privacy and security controls to prevent future breaches.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.