Sacred Heart Health Systems Data Breach (2015)

Sacred Heart Health Systems is reporting a security breach at one of its third-party vendors has resulted in the possible exposure of health and personal information of about 14,000 patients. Monday, the hospital said that on February 2, they were by a third-party billing vendor that one of its employee's email login information had been compromised as the result of an email phishing attack. The hacking attack was detected by the billing vendor on December 3 and the employee's username and password were shut down the same day. Upon notice of the incident, Sacred Heart, in cooperation with the billing vendor, immediately launched a thorough investigation into the matter. Sacred Heart engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected email account. After careful review, Sacred Heart was able to determine that the billing vendor's employee email account contained personal information for approximately 14,000 individuals. The personal health information in the email account included patient names, date of service, date of birth, diagnosis and procedure, billing account numbers, total charges, and physician name. Approximately 40 individuals' social security numbers were also compromised. The hackers did not gain access to individual medical records or billing records. Sacred Heart has sent letters to those potentially affected by the data breach. Identity monitoring and protection services are being offered free of charge for those whose social security number has been affected by the incident.