Black River Medical Center employee falls for phishing scam; breach ensues

Black River Medical Center has issued a notice informing customers that the healthcare provider has learned of a data security lapse that may have resulted in the exposure of some patients” personal information.

An affiliate of Saint Francis Healthcare System, Black River is a community-owned, not-for-profit hospital in Missouri, US. On April 23, the hospital discovered that a staffer fell for a phishing scam and had his / her email account compromised. From there, the attacker could use those credentials to access sensitive patient information.

“The investigation determined that an unknown, unauthorized third party gained access to the employee”s email account and could have viewed or accessed the information contained therein, which included patients” names, addresses and phone numbers, and in certain instances, limited treatment information,” the notice reads.

Black River says the attacker fortunately did not get social security numbers or any financial or billing information. It also says there is no direct evidence that patient information was actually accessed or viewed. However, the worst case scenario must always be taken into consideration in situations like these.

“At this time, there is no evidence that the unauthorized party actually accessed or viewed any patient information in the email account, and Black River is not aware of any misuse of patient information,” the hospital says. “The privacy and protection of patient information is a top priority for Black River Medical Center, which regrets any inconvenience or concern this incident may cause.”

Notification letters mailed to patients on June 13 are said to include additional information about the incident, as well as a number customers can use to call the healthcare unit with any questions.