More than 200,000 patients of UMass Memorial Health may have had their personal information compromised in an email hack. The Worcester hospital says a hacker accessed email accounts for seven months, beginning in June of 2020.
A message to patients says the hack may have revealed names, social security numbers, and medical information.
According to the notice, the hospital first discovered this January that some UMass Memorial employees’ email accounts had been accessed by an “unauthorized person.”
“At that time, it was not known specifically what information may have been contained in the accounts,” the statement reads. “After first identifying suspicious activity within the employees’ email accounts, we immediately took steps to secure the accounts and a computer forensic firm was engaged to assist with our investigation. The investigation determined that an unauthorized person accessed the accounts between June 24, 2020 and January 7, 2021.”
UMass Memorial says it then spent more than seven months determining which individuals had information in those email accounts that could be compromised. The statement doesn’t list a number of people who had information in those emails, but the U.S. Department of Health and Human Services says 209,048 individuals were affected.
“For patients, the information involved included names, dates of birth, medical record numbers, health insurance information, and clinical or treatment information, such as dates of service, provider names, diagnoses, procedure information, and/or prescription information,” the statement says. “For health plan participants, the information involved included names, subscriber ID numbers, and benefits election information. For some individuals, a Social Security number and/or driver’s license number was also involved.”
UMass Memorial says it has no indication that individuals’ information was actually viewed by the hacker. The hospital says it sent a letter to people who may have been compromised, and is offering free credit monitoring and identity protection services for those whose Social Security number or driver’s license number was identified in the emails.
The news comes as Governor Charlie Baker addressed a state conference on cybersecurity Thursday. Baker said the pandemic has made the state more vulnerable to cyber attacks.
“Security issues have become paramount as we’ve worked, gone to school and carried out other essential business over the past 18 months,” Baker said. “And unfortunately our increased reliance on technology has led to a rise in cyber threats — a persistent threat against our communities, where hackers target municipalities, healthcare organizations, and much, much more.”
Baker called on organizations and local governments across the state to take steps to protect sensitive information.