More than 7,000 patients got notified about the Malware Attack on PCMH

Pawnee County Memorial Hospital (PCMH) in Pawnee City of Nebraska has notified more than 7,000 patients that a few of their PHI (Protected Health Information) was possibly been accessed by hacker.

On Nov. 29, 2018, the PCMH officials found that a malware virus had been installed and infected their business email system. As a result, an unauthorized individual gain access to their email system. The malware got injected into PCMH's email system after an employee of PCMH opened an email attachment, which was malicious. According to
the substitute breach notice of PCMH, the email seems to be sent from a trustworthy source and also the email attachment appears genuine.

With the help of a forensics team from outside, the PCMH has launched an investigation. The hospital determined after receiving assistance from the third-party computer forensics expert that the malicious email attachment got opened by a PCMH employee on Nov. 16, 2018. As a result, the hacker had been able to access email accounts of the
PCMH employees' between November 16, 2018, and November 24, 2018. The Electronic Health Records was not affected by this malware.

The compromised employee email accounts were used for hospital operations as well as patient care, and therefore have emails and attachments with clinical reports and clinical summaries, internal business records, and other documents of protected health information. Those compromised documents contain full name of patients', address,
date of birth, diagnosis, medical record number, lab test results, state ID number, insurance information, and driver's license number. Moreover, a few patients Social Security number have also been breached in this security incident.

While access to the protected health information was very much possible, it is still not clear whether the hacker had viewed and obtained any kind of patient information. PCMH believes that this attack has been financially motivated, and also was not conducted with motive of stealing the patient information.

In response to this breach, the PCMH officials reset all the passwords on the employee email accounts. Besides, PCMH continues working with the forensics team for implementing additional technology safeguards in order to improve the email security.

The hospital also sent notification letters about the breach to all the patients whose protected health information has been exposed. Moreover, PCMH further offered the complimentary enrollment in MyTrueIdentity online credit monitoring service for 1 year.

» SPAMfighter News - 3/6/2019