[BreachExchange] Hartford HealthCare Hit by Valentine's Day Data Breach

Destry Winant destry at riskbasedsecurity.com
Mon Apr 20 10:20:55 EDT 2020


A US healthcare provider that serves 185 towns in Connecticut and
Rhode Island has issued a data breach notification.

Hartford HealthCare released a statement on April 13 warning patients
about a cybersecurity incident that took place between February 13 and
Valentine's Day (February 14) this year.

According to the notification, attackers gained access to patients'
personal information after compromising email accounts belonging to
two of Hartford HealthCare's more than 30,000 employees.

After suspicious activity was observed in the targeted email accounts,
Hartford HealthCare "immediately took steps to secure the accounts"
and engaged a technology forensics firm to investigate the attack.

The healthcare provider said that up to 2,651 individual patients may
have been affected by the incident. Information that malicious hackers
got their hands on included patient names, dates of birth, clinical
information, and health insurance information.

For 23 individuals, an insurance account number that includes their
Social Security number was illegally accessed. And, for an undisclosed
number of patients, personal financial information was involved.

A spokesperson for Hartford HealthCare said: "For nearly all of the
affected individuals, the information did not include any personal
financial information, such as Social Security number or credit card

The organization said that it had found no evidence that any of the
information that had been accessed in the incident had been misused.

"The investigation determined that an unauthorized person gained
access to two employees’ email accounts between February 13, 2020, and
February 14, 2020," said a spokesperson for Hartford Healthcare.

"The investigation began immediately and determined that one of the
two accounts contained some personally identifiable information
regarding some patients, including: patient name, date of birth,
medical record number, clinical information including diagnosis,
date(s) of service, provider name and health insurance information."

Hartford HealthCare has required all employees to change their email
passwords and has disabled "the software that the unauthorized person
used to carry out the attack."

The incident has been reported to the US Department of Health and
Human Services Office for Civil Rights. For the 23 patients whose
compromised information included a Social Security number, Hartford
HealthCare is offering two years of free credit monitoring.

More information about the BreachExchange mailing list