Minnesota Hospital Breach Impacts Personal and Medical Data of 50,000 Patients

• The hospital started notifying its patients of the security breach incident on January 3, 2020.
• Alomere Health has been twice named as one of the Top 100 Hospitals by Thompson Reuters.

Two phishing attacks on the Minnesota-based Alomere Health impacted the personal and medical information of 49,351 patients.

Alomere Health is a community-owned and non-profit general medical and surgical hospital and has been twice named as one of the Top 100 Hospitals by Thompson Reuters.

What happened?

Alomere Health detected the security breach on November 6, 2019.

• The hospital staff found that an unauthorized person(s) held access to an Alomere Health employee’s email account between October 31, 2019, and November 1, 2019.
• Further investigation revealed that a second employee's email was breached on November 6, and some patient information might have leaked.
• The hospital administration immediately took investigative measures and reviewed the emails and attachments in the accounts to understand the impact of the attack.
• The hospital started notifying its patients of the security breach incident on January 3, 2020.

What’s at stake?

After reviewing the two hacked email accounts, it was found that portions of some patients’ information were contained in the email accounts.

• The impacted email accounts contained patients’ data including their names, addresses, dates of birth, as well as medical info such as record numbers, health insurance information, treatment information, and/or diagnosis information.
• Additionally, for a limited number of patients, Social Security numbers (SSNs) and driver's license numbers might have also been exposed.

The response

Alomere Health will compensate for patients whose SSNs and driver license information was stored in the breached email accounts. It has offered complimentary credit monitoring and identity protection services for those patients.

“To lessen the likelihood this occurs in the future, we have put in place additional security measures for all of Alomere Health employee email accounts. It is through these additional layers of security, staff training, and diligence that we will continue to provide high-quality health care, close to home with safety and security,” read a post disclosing the incident on the hospital website.