ELIZABETHTOWN — For a brief time, an unauthorized user remotely accessed an email account of an employee at University of Vermont Health Network, Elizabethtown Community Hospital that contained some personal information, including Social Security numbers.
While no evidence has been found that individual information was viewed, ECH said in a news release, the hospital is notifying about 32,000 potentially affected people and providing information on steps they can take to protect themselves against potential fraud or identity theft.
“The 1,200 individuals whose Social Security numbers were included in the email account will be offered free credit and identity theft monitoring services,” the release said.
Just one account
An initial 60-day probe into the Oct. 9 incident revealed no evidence of any fraud or identity theft to any individual, ECH said.
The breach was limited to one employee’s email account, the hospital said, and did not involve the facility’s computer networks or electronic medical records, nor did it involve the email or information technology systems at any of the Health Network’s other affiliates.
“Upon learning of the incident on Oct. 18, the hospital immediately took action, including changing passwords, implementing enhanced security features and engaging a leading forensic security firm to assist with the investigation,” the release said.
“We are very sorry this has happened,” ECH President John Remillard said in the release.
“We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees.
“To help prevent something like this from happening in the future, we have taken organization-wide steps to enhance the security of our email system, and we are reinforcing education with our staff to assure protection of patients’ information.”
The hospital has no evidence, Remillard said, that any personal information was viewed or used by an unauthorized party — the probe searched for any personal information in the email account that might have been viewed.
Along with some Social Security numbers, ECH said, the investigation “determined that the email account contained individuals’ personal information, including some individuals’ names, dates of birth, addresses and limited medical information; primarily information associated with billing such as medical record numbers, dates of service and a brief summary of services provided.”