Hospital Breach Exposes Sensitive Data on 50,000 Patients

Written by Pam Baker
January 9, 2020

The breach involved the hacking of employee emails which contained medical data, in violation of HIPAA.

Alomere Health, a nonprofit hospital in Alexandria, Minnesota, reported early this month that a security breach discovered in November that exposed personal and medical data on nearly 50,000 patients. The security incident involved the hacking of two employee email accounts.

The company said that “in an abundance of caution,” it reviewed the emails and attachments in the two breached email accounts where the company discovered “portions” of patient information were contained and thus exposed. How much of the information was viewed and possibly captured by an unauthorized party is yet to be determined.

“Alomere Health stated it will add more security to hospital staff’s email accounts, but I have to wonder why such sensitive information is being stored in an email account in the first place? Email is not a secure means of communication and should not be used for something as sensitive as medical records and Social Security numbers,” said Paul Bischoff, privacy advocate with Comparitech. “Surely hospital staff have a more secure way to share medical data? I doubt sending sensitive medical and personal data in an email attachment is HIPAA-compliant.”

Alomere isn’t the only hospital that has suffered such a breach where sensitive patient data was exposed in emails. One example is last January’s Managed Health Services of Indiana breach wherein 31,000 patients’ data was exposed.

Patient portals were meant to secure communications involving personal and medical data shared between patients and health care professionals. Other technologies such as EMRs and EHRs were also designed to protect patient information and retain HIPAA compliance. It’s more than a little odd to discover any patient data is still being shared via email today — especially in a hospital environment where presumably security protocols are stronger and better enforced than a rural, one-man physician’s office.

MSSPs would be smart to add monitoring employee email and employee educational efforts to their menu of services, if they haven’t already, to prevent email exposures of sensitive patient data.

Comforte’s Warren Poschman

“In the most recent medical breach at Alomere Health, small and midsize regional providers continue to be a target without abatement. The fundamental issue is how these providers manage data, such as in this case where ‘portions of some patients’ information were contained in the email accounts,’” said Warren Poschman, senior solutions architect at comforte AG. “Regardless of whether the email account was compromised via brute force, social engineering, or the more sophisticated persistent authentication token theft, the focus should be on ensuring that personal health information (PHI) and personally identifiable information (PII) data are never in an email in the first place.”

This particular data breach also underscores the ineffectiveness of many “enhanced email security” programs.

“Enhanced security such as ‘additional security measures for all …employee email accounts’ will not stop these attacks as these measures are simply virtual Band-Aids for our medical records,” said Poschman.

MSSPs that can come up with better ways to control email content as well as email transfers may find this a profitable differentiator from their competitors. Opportunities should be vast given these problems are universal across business verticals and not confined to health care. However, health care is a prime attack target for cyberattacks and thus arguably in greatest need of an innovative fix.