On April 24, 2024, Aultman Hospital in Canton, Ohio, detected phishing emails sent from one of its employee’s compromised email accounts. Immediate action was taken to secure the account and an investigation was launched to determine the scope and impact of the breach. The investigation revealed that the unauthorized access occurred between April 22 and April 24, 2024, and was confined to this single employee’s email account.
The attack primarily involved a phishing scheme aimed at compromising email accounts, rather than accessing the contents of the emails or attachments. Despite this, the investigation could not entirely rule out the possibility of unauthorized access to the emails and their attachments. A manual review of the emails confirmed that some contained sensitive patient information.
The exposed information varied for each individual but generally included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance details, diagnoses, and treatment information. Aultman Hospital began notifying the affected individuals by mail on June 21, 2024, and has implemented additional security measures to prevent future incidents.
In response to the breach, Aultman Hospital has enhanced its cybersecurity training and technical safeguards. The U.S. Department of Health and Human Services’ Office for Civil Rights breach portal reports that 6,890 individuals were affected by this incident.
Reference: