Public Notice: Health Insurance Portability and Accountability Act
By Mandy Cepeda Apr 21, 2016
Wyoming Medical Center takes the privacy of our patients very seriously and strives to protect the privacy of each patient. Although there is little risk to patients, Wyoming Medical Center wants to inform the public of a recent incident which allowed unauthorized access to limited protected patient health information (PHI) affecting 3,184 patients.
On Feb. 25, 2016, Wyoming Medical Center discovered that an unauthorized third party had access to two organizational email accounts. No evidence exists to indicate that PHI was viewed or copied from the compromised email accounts. Because the unauthorized party only had access to the email accounts for 15 minutes, we believe that no PHI was viewed or acquired. If the unauthorized party did view patient information, they would have had access to view patient names, medical record numbers, account numbers, dates of hospital service, dates of birth and limited medical information.
Wyoming Medical Center took immediate steps to secure the email accounts. Although this is a serious breach, the information potentially disclosed did not include patients’ addresses, Social Security Numbers or insurance information.
Because of the limited information contained within the compromised email accounts, there is little to no risk to patients who may have been affected.
In light of this recent event, Wyoming Medical Center is reviewing our internal email safeguards and policies to protect against future incidents. Wyoming Medical Center has reported this event to the Office for Civil Rights, the government agency that oversees HIPAA privacy compliance (Health Insurance Portability and Accountability Act Privacy Law).
If you were personally affected, and we have your current address, you will be receiving a letter informing you of this breach. Should you have any questions, please contact Wyoming Medical Center’s Privacy Office at 307-577-2545 or 800-822-7201 extension 2545.
Frequently Asked Questions
Q: What happened?
An employee at Wyoming Medical Center received an email, which appeared to be an official email. However, it was a phishing email that allowed an unauthorized third party access to a Wyoming Medical Center email account. This email account was then used to send out additional phishing emails and another Wyoming Medical Center email account was compromised. This unauthorized access lasted 15 minutes. Wyoming Medical Center performed an investigation, and though the likelihood of a third party accessing patient information is extremely low, we could not prove without a doubt that no information was accessed.
Q: What is a phishing email?
Phishing emails are email messages appearing to come from legitimate sources, such as a bank, a trusted friend or colleague, or trusted businesses, etc. Phishing is an attempt to acquire sensitive information such as usernames, passwords, credit card information, email addresses, or Social Security Numbers. Many times, it is difficult to identify phishing emails.
Q: What information was accessed?
Because these email accounts were compromised for such a short period of time, we do not believe any patient information was viewed or accessed. However, during that short period, a third party had access to view patient names, medical record numbers, account numbers, dates of service, dates of birth, and limited medical information.
Q: What possible medical information was compromised?
The information contained in the email accounts were for hospital purchasing purposes, such as instruments or devices implanted during surgery, information for wound care, or information regarding patients who were on isolation precautions.
Q: Was my medical record information accessed?
At no time was there any unauthorized access to Wyoming Medical Center’s electronic medical record systems.
Q: Why am I being informed when there is such a low risk to me?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Law required Wyoming Medical Center to inform patients if there was a potential breach of your health information and we are not able to prove that the information was not accessed.
Q: How does this affect me?
Wyoming Medical Center personnel reviewed each individual email to identify each patient possibly affected by this breach. We identified that your information was accessible by an unauthorized third party, though we believe it was never accessed.
Q: Do I need to take further steps?
Because of the limited information to which the unauthorized user had access, we do not believe you need to take any further steps.
Q: Am I at risk for identity theft?
No, the information accessible by the unauthorized user was limited and did not include the proper information to allow for identity theft. If you are concerned about potential identity theft, you may contact one of the credit reporting agencies that will place fraud protection on your credit report. All you have to do is contact one of the three credit reporting agencies and ask them to put a fraud alert on your credit file, and they should automatically inform the other two credit agencies. You may contact them via telephone or on their websites at:
- Transunion: (800) 680-7289, website
- Experian, (888) 397-3742, website
- Equifax: (888) 766-0008 , website
Q: What does Wyoming Medical Center do to protect patient information?
Wyoming Medical Center takes privacy very seriously. We routinely educate employees on privacy and take every step possible to prevent privacy breaches. Wyoming Medical Center uses firewalls and performs routine audits on our information systems. In addition, we contract with an information security firm that monitors and audits our systems routinely and we take action to continually improve and better protect our patients’ information.