Aultman Health Foundation Phishing Attack Affects up to 42,600 Patients

May 30, 2018


Aultman Health Foundation, which manages Aultman Hospital in Canton, OH, is warning about 42,600 patients that some of their protected health information might have been accessed because of a phishing attack.

Unknown and unauthorized people succeeded in gaining access to many electronic mail accounts used by staff members of Aultman Hospital, its AultWorks Occupational Medicine department, and some Aultman physician centers.

The illegal access was first noticed on March 28, 2018, leading to a thorough inquiry to decide the level of the breach and whether any confidential information might have been accessed. Third-party information safety experts were hired to assist with the inquiry and found that access to the electronic mail accounts occurred on many occasions starting in mid-February and continued until the breach was noticed and remedied in late March.

The breach was limited to electronic mail accounts. The system that states electronic medical records was not obtained. Electronic mail accounts used by Aultman hospital and some doctor practices included names, clinical information, addresses, medical history numbers and doctors’ names.

People checked by AultWorks Occupational Medicine had a larger variety of information disclosed including name, address, the results of drug, hearing, and breathing tests, and other lab test results, reports on physical examinations, medical history, and date of birth. Some AultWorks Occupational Medicine patients also had their Social Security number and/or driver’s license number obtained. Social Security numbers were only disclosed in cases where companies use Social Security numbers to recognize workers/potential staff members.

When the phishing attack was known Aultman Health Foundation carried out a password reset to halt any more illegal accessing of electronic mail accounts and made sure just safe, difficult passwords could be set. Safety checking has been increased to find any future breaches more rapidly and further security controls have been applied to electronic mail accounts to obstruct possible attacks. Staff members have also been given additional training to increase strength to phishing efforts.

Aultman Health Foundation summarized in a safety breach FAQ that it was not possible to determine whether electronic mails and electronic mail attachments including PHI were opened and read by the individual(s) behind the attack; nevertheless, no accounts have been presented to date to provide any information in the accounts has been incorrectly used.

All patients suffered by the event have been alerted to verify their credit reports, as well as Explanation of Benefits statements in detail for any indication of fake use of their information and people whose Social Security number or driver’s license number were obtained, have been provided free credit checking facilities.