Adirondack Health began notifying over 25,000 patients in early July that a protected health information breach occurred. Adirondack Health, part of Vermont-based Adirondacks Accountable Care Organization (ACO), discovered on March 4, 2019 that an employee’s email had been accessed by an unauthorized individual for two days.
Adirondacks ACO ran a check on the illegally accessed account searching for any PHI that may have been leaked. A document was discovered and shared between two employees that contained PHI on patients who missed well-baby exams and other screenings. This “gap-in-care” spreadsheet was part of the ACO’s population health analysis, and it was to be sent to providers to determine the best way to contact their patients for followup.
Currently, there is no evidence that the email was ever opened by the hacker. Since the possibility exists, however, it must be considered a true risk. The sheet contained PHI such as names, dates of birth, health insurance policy numbers, as well as some social security numbers. A spokesperson for Adirondacks Health stated that the unauthorized access was not a result of a phishing attack and was not caused by the employee themself.
Adirondacks ACO analyses health data for the entire region and is made up of all the Adirondack regional hospitals.