4 hacked email accounts cause breach at Summa Health

Register now

Unauthorized access by a hacker to four employee email accounts at Summa Health has resulted in a data breach at the organization.

The size of the breach at Summa Health—which is based in northeast Ohio and operates 10 health centers on three campuses—has not been publically disclosed. The number of affected individuals eventually will be posted on the Department of Health and Human Services’ data breach website.

Also See: Why physicians are on the hook to not take the bait on phishing attacks

On May 1, Summa Health learned of the access to the employees’ email accounts. It hired a forensics firm, which determined that the attacker first had access to two accounts dating back to August 2018, and then accessed two more accounts between March 11 and March 29.

“The investigation was unable to determine whether the unauthorized individual actually viewed any email or attachment in the accounts,” the company notes. “We thoroughly reviewed every email and attachment in the accounts to identify patients whose information may have been accessible to the unauthorized person.”

At least nine types of protected health information were exposed, and patients with possibly compromised Social Security numbers and driver’s license numbers are receiving credit monitoring and identity protection services from an unnamed credit firm.

“We have no indication that any patient information was actually viewed by the unauthorized person or that it has been misused,” Summa Health told affected patients. “However, out of an abundance of caution, we mailed letters to affected patients on June 28 and have established a call center to answer questions.” The patient notification letters expressed regret for any inconvenience or concern that the incident may cause affected individuals.

“We continually evaluate and modify our practices to enhance the security and privacy of our patients’ information. To help prevent something like this from happening in the future, we are reinforcing employee training on privacy and security, and are instituting additional security measures throughout the health system,” the letter noted.

Summa Health did not respond to a media request for additional information on the incident.

For reprint and licensing requests for this article, click here.