Breach at New York state agency affects nearly 1,000 patients

A breach at People Inc., serving senior citizens and persons with disabilities throughout Western New York, jeopardized the records of about 1,000 patients.

Records became exposed after two employees were victimized by an email phishing scheme, after they clicked on emails that had malware, believing that the communication had come from a trusted source.

On February 19 the organization discovered unauthorized access to its systems and immediately reset the password to an affected account. It engaged a forensics firm to determine what happened and whether protected health information was accessed or acquired without authorization. It later found another impacted email account.

Elmwood Health Center-CROP.jpg

At least nine types of protected health information were compromised, including names, addresses, Social Security numbers, financial accounts, medical information, insurance, and driver’s license and other government identification numbers.

Also See: Baystate says breach from phishing attack could affect 12,000

At this time, there is no evidence that affected information is being misused, the organization told patients in a notification letter, and the incidents have been reported to the FBI.

While a local media source reports nearly 1,000 persons may be affected, People will submit the final number to the HHS Office for Civil Rights, which enforces the HIPAA privacy and security rules.

The organization is offering affected individuals one year of identity protection services from Experian and offering tips on protecting a variety of financial accounts.

For reprint and licensing requests for this article, click here.