ThedaCare announced that it was affected by a data security incident involving its former consulting firm, Pope & Conner. This firm, previously responsible for billing services at ThedaCare’s Juliette Manor and Peabody Manor facilities, discovered suspicious activity related to one of its employee’s email accounts.
Pope & Conner identified this suspicious activity in January and completed an investigation, finding that an unauthorized party briefly accessed the employee’s email account. While it could not be confirmed whether any sensitive information was accessed, the firm conducted a thorough review of the account’s contents to determine the extent of the exposure. The review revealed that less than 4,000 patients’ information may have been at risk.
The affected patients were identified by March 29, and Pope & Conner sent letters to each potentially impacted individual. These letters offered 24 months of complimentary credit monitoring and identity protection services to those whose Social Security numbers or driver’s license information might have been involved.
ThedaCare emphasized that its own computer systems were not compromised in the incident and that patient care was not impacted. The organization stated that it holds its vendors to the same stringent security standards as its own. Pope & Conner reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, which oversees the privacy and security of patient health information.
Reference: