A US healthcare provider that serves 185 towns in Connecticut and Rhode Island has issued a data breach notification.
Hartford HealthCare released a statement on April 13 warning patients about a cybersecurity incident that took place between February 13 and Valentine's Day (February 14) this year.
According to the notification, attackers gained access to patients' personal information after compromising email accounts belonging to two of Hartford HealthCare's more than 30,000 employees.
After suspicious activity was observed in the targeted email accounts, Hartford HealthCare "immediately took steps to secure the accounts" and engaged a technology forensics firm to investigate the attack.
The healthcare provider said that up to 2,651 individual patients may have been affected by the incident. Information that malicious hackers got their hands on included patient names, dates of birth, clinical information, and health insurance information.
For 23 individuals, an insurance account number that includes their Social Security number was illegally accessed. And, for an undisclosed number of patients, personal financial information was involved.
A spokesperson for Hartford HealthCare said: "For nearly all of the affected individuals, the information did not include any personal financial information, such as Social Security number or credit card information."
The organization said that it had found no evidence that any of the information that had been accessed in the incident had been misused.
"The investigation determined that an unauthorized person gained access to two employees’ email accounts between February 13, 2020, and February 14, 2020," said a spokesperson for Hartford Healthcare.
"The investigation began immediately and determined that one of the two accounts contained some personally identifiable information regarding some patients, including: patient name, date of birth, medical record number, clinical information including diagnosis, date(s) of service, provider name and health insurance information."
Hartford HealthCare has required all employees to change their email passwords and has disabled "the software that the unauthorized person used to carry out the attack."
The incident has been reported to the US Department of Health and Human Services Office for Civil Rights. For the 23 patients whose compromised information included a Social Security number, Hartford HealthCare is offering two years of free credit monitoring.