Hacker accesses email accounts, PHI at retirement communities

A hacker accessed an employee’s email account at an Ohio retirement community and post-acute care organization, jeopardizing personal health information.

Ohio Living, which operates 12 retirement communities and also offers home health and hospice services, on July 10 discovered suspicious activity in an employee’s email account and determined that an unknown individual accessed employee accounts on that date.

Then, on July 19, the Columbus, Ohio-based organization detected potential unauthorized logins into other Ohio Living email accounts.

“Because we were unable to determine which email messages may have been opened or taken by the unauthorized actor, we reviewed the email accounts to identify what personal information was stored within them,” according to Ohio Living’s breach notification, sent to an undisclosed number of affected individuals.

Also See: Email phishing attack compromises data of respiratory care provider

On September 4, Ohio Living determined protected health information that could be compromised included patient names, contact information, Social Security numbers, financial information, dates of birth, medical record numbers, medical information and insurance information.

Ohio Living-building-CROP.jpg

At the time of the breach, the organization implemented password resets for all employees, and now it has implemented additional training and data security education for all employees.

“Although we are not aware of any actual or attempted misuse of any individual’s information, we also are providing the impacted individuals access to complimentary credit monitoring services as an added precaution,” the company told customers, who also received information on protecting against identity theft or other financial losses.

Affected individuals were encouraged to place a fraud alert on their files that will inform creditors to take additional steps to verify identity prior to granting credit in individuals’ names.

Ohio Living did not respond to a request for additional information on the data incident.

For reprint and licensing requests for this article, click here.