Email accounts at a Kansas hospital were compromised for nearly a year in a prolonged data breach affecting more than 52,000 individuals.
Emporia-based Newman Regional Health was breached by an unauthorized threat actor last year. In a data security notice on its website, the healthcare provider disclosed that the actor was able to access a limited number of email accounts between January 26 2021 and November 23 2021.
An investigation into the security incident, conducted “with the help of third-party experts,” found that the compromised email accounts contained a treasure trove of personal data, including names, medical record numbers, birth dates, email addresses, phone numbers, addresses, treatment information and employee information.
“A limited group of individuals may have Social Security number or financial information affected,” stated the healthcare provider.
Newman Regional Health said that the investigators reached their conclusions on March 14 2022, but did not state when suspicious activity had first been detected or when the investigation into the incident was launched.
The hospital made a vague statement on its website describing what action it had taken to prevent a similar attack from occurring in the future.
“The security of the data we maintain is of the highest priority to us and we are using enhanced security tools to protect it. Newman Regional Health has taken steps to help prevent similar incidents in the future,” stated the healthcare provider.
Newman Regional Health has notified law enforcement of the data breach and is contacting by letter individuals whom the attack may have impacted. The healthcare provider said that while “there has been no evidence of fraudulent activity as a result of this incident,” recipients of the letter should review the information provided regarding identity protection.
The letter states: “This incident was limited to certain email accounts and did not impact the privacy or security of Newman Regional Health’s medical record or other information systems.
“While we do not have evidence that your information was used for fraudulent purposes, we are unable to conclusively rule out the possibility that your personal information was accessed and acquired as a result of this incident.”