A data breach at a Chicago healthcare provider may have exposed the personal health information of 12,578 people.
Sinai Health System was breached in a cybersecurity incident that occurred in the fall of 2019. Hackers are thought to have gained unauthorized access to the organization’s email via a phishing attack.
Patient data that was stored in the email accounts and may have been exposed included names, addresses, dates of birth, Social Security numbers, health information, or health insurance information.
The healthcare provider became aware that two of its employees had been taken in by a phishing scam that struck in October.
In a statement released by Sinai Health System on December 19, the company wrote: "Sinai Health System (Sinai) has become aware of a potential data security incident that may have resulted in the inadvertent exposure of some patients’ personal and health information.
"On October 16, 2019, forensic information technology experts determined that patient information could be at risk after an unknown third party gained unauthorized access to two employee email accounts."
Following the discovery of the malicious attack, hospital officials took steps to secure the email accounts and reset passwords. Sinai Health System has also reviewed and revised its information security policies and procedures, including email retention procedures.
Employees of the healthcare provider were given additional cybersecurity training following the attack to reduce the risk of further breaches' occurring. The organization has also enhanced the filtering protocols for its email accounts.
An investigation into the incident launched by Sinai Health System uncovered no evidence that any patient information had been exfiltrated or misused.
Sinai Health System wrote: "Experts performed an investigation and found no evidence that any patient information was removed from Sinai Health System’s email accounts or systems.
"Further, Sinai is not aware of any misuse of any patient’s information and has seen no indication that any patient’s information is in the hands of someone it should not be as a result of this incident."
Information regarding the breach was submitted on December 13 to the Office for Civil Rights, which has launched its own investigation into the incident.
Sinai Health System is composed of Mount Sinai Hospital, Holy Cross Hospital, Schwab Rehabilitation Hospital, Sinai Children’s Hospital, Sinai Community Institute, Sinai Medical Group, and Sinai Urban Health Institute.