Hack Results in Data Breach at UMass Memorial Community Healthlink

Another data breach struck the healthcare industry this week. The victim: UMass Memorial Community Healthlink, which provides outpatient and emergency behavioral health treatment, substance abuse treatment services and homeless services.

On Monday, UMass Memorial Community Healthlink released a notice to its patients describing how an unauthorized individual entered two employees’ email accounts and gained access to 4,598 patients’ data. The clinic’s response suggests that the hacker might have gained access via phishing, but the mode of entry is unclear at this time.

Inside Digital Health™ made multiple attempts to reach a spokesperson at UMass Memorial Community Healthlink but could not get ahold of anyone.

Through a review of the two accessed accounts, UMass Memorial Community Healthlink determined that the unauthorized party could have accessed some patients’ names, dates of birth, client identification numbers, diagnosis and treatment information, health insurance information and, in “limited instances,” Social Security numbers.

In the notice, Community Healthlink said after learning of the unauthorized access on April 18, it immediately secured the accounts and began an investigation with a computer forensic company. The breach appeared on the Office for Civil Rights’ website this week.

Community Healthlink’s investigation did not determine whether the unauthorized party actually viewed any emails in the hacked accounts, so the organization reviewed all emails in both accounts to see whose information could have been accessible to the attacker.

While there is no indication that patient information was viewed or misused, Community Healthlink mailed letters to patients whose information was in the accounts.

The letter gives at-risk patients additional information to protect themselves.

Community Healthlink is also offering complimentary credit monitoring and identity protection services for patients whose Social Security numbers could have been compromised. The hospital also recommends that patients review billing or explanation of benefits statements from their health insurers or healthcare providers.

The organization immediately implemented new practices to strengthen its cybersecurity defenses, according to the notice.

“To help prevent something like this from happening in the future, we forced a password change for the impacted employees’ accounts, increased automated alerts and have implemented additional measures to further strengthen our security processes,” the notice said.

Community Healthlink will also reinforce employee training on how to detect and avoid phishing emails.

Get the best insights in digital health directly to your inbox.

Related

3 Trends Plaguing Healthcare Cybersecurity & How to Fight Them

How Important Is Protecting Patient PHI to Your Vendors?

Why Healthcare Is So Vulnerable to Ransomware and What We Can Do About It