Jefferson Healthcare announced today, Monday, January 11, 2021, that on November 9, 2020, unauthorized access to an employee’s email account occurred as a result of a phishing attack, which might have involved personal information maintained by Jefferson Healthcare of approximately 2,550 individuals.
The data security incident was discovered on November 12, 2020, and Jefferson Healthcare immediately took steps to halt the unauthorized access to the employee’s email account and prevent further unauthorized access. The intrusion occurred in the email system and did not access Jefferson Healthcare’s electronic medical record system. Jefferson Healthcare also hired two forensic specialist companies to investigate and determine the nature and extent of the unauthorized access and email breach and to determine if personal information was involved.
Based on Jefferson Healthcare’s security practices and investigation of the incident, it is reasonably believed that relatively few documents were likely viewed by the unauthorized parties during their brief access to the affected email account. However, the investigation could not definitively conclude that the unauthorized parties did not access certain information and documents stored in the affected email account. Potentially exposed information may have included an individual’s full name, date of birth, phone number, home address, health insurance information, certain health information such as dates of service, and diagnosis and treatment information. In a very small number of cases, social security number and/or financial information may have been disclosed.
At this time, Jefferson Healthcare has a reasonable basis to believe that there has not been any improper access to its electronic medical record system, billing systems, or other systems outside of the affected email account, or that the incident has affected or will affect any patient care.
“Jefferson Healthcare takes individual privacy, and the trust of our community, seriously and has taken immediate steps to enhance our information security systems. We continue to be vigilant in resolving security threats as they are identified and educating our staff members. We are committed to transparency and sincerely apologize to those who have been impacted by this breach.” said Brandie Manuel, Chief Patient Safety and Quality Officer.
Jefferson Healthcare’s additional prevention steps include:
- Implementing additional anti-fraud technology safeguards and other cybersecurity risk prevention measures
- Reinforced education and training for its staff members on how to avoid email phishing schemes and how to properly secure login credentials and
- Thoroughly reviewing its policies and procedures to ensure that they sufficiently protect against further incidents of this type.
Jefferson Healthcare has notified all of the individuals whose information might have been accessed as a result of the incident. Affected individuals should take steps to protect their identity and monitor their credit file. Due to the nature of some of the information that might have been accessed by the unauthorized parties, Jefferson Healthcare has arranged for some individuals to enroll in a credit monitoring service through Experian at no cost to the individuals.
# # #