Luminis Health, the owners of Anne Arundel Medical Center in Maryland, announced Thursday that its email system was accessed by an unauthorized party, and some patient information could have been exposed during the breach.
The health company said it became aware of the breach within its employee email system on Sept. 3, 2021, and took steps to secure the impacted email accounts.
They then hired a computer forensics firm to assist in an investigation into the incident. That investigation found that an unauthorized person accessed employee email accounts between Aug. 26 and Sept. 14.
The company said because it had no way of knowing which emails may have been accessed, they launched a review of all emails and attachments within those accounts. That review — which is ongoing — determined that patient records, such as names, date of birth, medical record numbers and Social Security numbers, were available in some of those emails.
Luminis said it doesn’t believe that any of this information was viewed during the breach, but that letters began going out to impacted patients on Jan. 12. They said all affected patients will be notified once the investigation is complete, which they expect to complete “in the coming weeks.”
Those who have questions or would like to know more are being directed to a toll-free helpline specifically for this incident at 855-675-3128. The line is available Monday through Friday 9 a.m. to 9 p.m.
Patients whose Social Security information was available in the emails will be offered free credit monitoring through Equifax.
While the company did not say specifically how the email system was compromised, its statement said measures would be taken to help employees identify phishing emails.
“To help prevent something like this from happening again, we have reinforced education with our employees on how to identify and avoid phishing emails and have implemented tighter controls on the existing multi-factor authentication for our email environment,” the company said.
