Local

Hack at Navicent Health affected 1,400 patients. Health system knew 2 months ago.

By Laura Corley

Two months after Navicent Health discovered one of its employees opened an email that allowed hackers to access sensitive information on more than 1,400 patients, the hospital announced it is starting to notify those who may have been affected.

The hospital learned June 24 of the phishing email, according to a news release sent to news outlets on Aug. 23.

Phishing is a type of internet fraud in which emails that appear to be legitimate communications from an established business are actually disguised attempts to steal information, according to the FBI.

The employee likely opened the phishing email between June 22-24, according to a news release from the hospital. The employee’s password was changed immediately and its security controls were enhanced, the news release said.

In addition to an internal investigation, the hospital notified the FBI and started talks with a national forensics firm.

No access was gained to Navicent Health’s electronic medical record systems. Personal, clinical and medical records were not involved.

The affected email account contained the following information on patients and people responsible for paying a patient’s bill, according to Navicent:

  • First and last name
  • Address
  • Telephone number
  • Date of birth
  • Social security number
  • Financial information (payment card information, bank account number, bank name, check number, routing number and/or personal identification number)
  • Medical information such as insurance details, treating or referring doctor, treatment costs, diagnosis and treatment information, prescription information and other clinical information.

The hospital is not aware of any fraud or identity theft to any individual as a result of the phishing attack, according to the news release. The hospital is sending those who were potentially impacted information on how to protect themselves against fraud or identity theft. It also is providing free identity theft protection services whose social security numbers or financial information might have been compromised.

“We encourage potentially affected individuals to remain vigilant in monitoring account statements, bills, notices and insurance transactions for incidents of unauthorized activity and to promptly report such incidents,” the hospital said in a news release.

It’s not the first time hackers have tried to access Navicent Health emails.

The hospital announced in March that it had been a victim of a cyberattack that targeted its employee email system in July 2018. The hospital did not say how many people might have been impacted. Other than a post on its website titled “Notice of Data Security Incident” in March, there have been no updates on the hack.

Navicent Health spokeswoman Megan Allen said the hospital would not speculate as to possible motivations for hacking employee emails. Allen declined to say in which department the employee who opened the phishing email works.

Those seeking additional information on the recent phishing attack are encouraged to visit nh.kroll.com or call a toll-free inquiry line at 1-833-496-0193, between 9 a.m. and 6:30 p.m., Monday through Friday.

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER