Beacon Health System, the result of a merger of two hospitals in South Bend Indiana announced that their email system was breached and hackers had access to emails between November 2013 and Jan 26, 2015 – about 15 months. While allowing the hackers to roam through your system for 15 months seems long, it, unfortunately, is not.
Beacon has begun to notify about 220,000 patients.
Given that what was announced was an email breach, what is unusual about it was the range of information compromised. Beacon, in their press release announcing the breach said the following information was compromised – different information for different patients:
- Patient’s name
- Doctor’s name
- Patient ID
- Patient status
- Social security number
- Drivers license number
- Date of birth
- Date of service
- Treatment information
- Other medical information
While information disclosed is different for different patients and they have not said whether the emails were encrypted or not (I am guessing not), what appears to be the situation is that the health system was using email as a patient care management system – otherwise, why would all this information be in email?
This might be a great time to look at how you use email and what sensitive information you might have stored in your email system – whether that is in the cloud (like GMail) or local to your business (like Outlook and Exchange). It may scare you when you find out.