Catholic Health Initiatives has notified nearly 12,000 patients in five states following an email phishing scam that compromised protected health information.

A small number of employees in CHI-owned health systems responded to emails believing they were legitimate requests for information from the parent company, but actually were from scammers who had accessed some CHI email accounts. Protected information that may have been in the email responses included name, address, date of birth, telephone number, treating physician or department, diagnosis, treatment, medical record number, medical service code and health insurance information, according to the organization.

A small number of emails also included patients’ Social Security numbers. For instance, 15 patients treated in nine hospitals in Washington had their SSNs compromised, out of about 8,300 patients notified in the state. Kentucky had 3,500 notifications, with 66 in Chattanooga, Tenn., 26 in Des Moines, Iowa, and 12 in Redding, Pa., says CHI spokesperson Michael Romano. All patients with compromised SSNs are being offered free credit protection services. The organization has no evidence that information in the emails has been used.

(See also: 4 Ways to Spot Red Flags of Medical ID Theft)

CHI currently does not encrypt internal emails--which is what employees thought they were using when sharing patient data. The organization encrypts outgoing emails. Romano did not know if internal email encryption will be deployed. The organization is re-educating employees on email scams and will strengthen user login authentication.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access