Chaplaincy Health Care is offering free identity protection and credit monitoring to more than 1,000 people after a privacy breach.
An employee’s email login credentials were compromised through an apparent phishing scheme.
Although it appears the schemers only were looking for more email contacts, the employee’s inbox had some patient information, including names, birth dates, partial Social Security numbers, medical record numbers and home address, the agency said this week.
Complete Social Security numbers, financial records, and credit card information were not accessible, Chaplaincy officials said.
Medical records systems and donor records also weren’t affected, the agency said.
Still, Chaplaincy is offering identity protection and credit monitoring at no cost to the roughly 1,080 patients with information in the email account. The agency mailed letters to the patients on Thursday.
“Chaplaincy Health Care sincerely apologizes for the inconvenience and the concern this incident has caused” Gary Castillo, the agency’s executive director, said in a statement. “Information security is very important to us and we will continue to do everything we can to fortify our operational protections for our patients and their families.”
The breach happened in late November, and Chaplaincy hired a forensics firm to investigate. The firm concluded that whoever breached the account was looking for more email contacts for phishing, and not for financial or medical information, said Leslie Streeter, director of business development and operations. The breach was limited to a single email account.
Streeter said it’s unclear exactly how the breach happened.
It was discovered after the employee was notified by a contact of a suspicious email coming from her account.
Chaplaincy takes information security seriously and is taking steps to prevent future issues, including providing more employee training and moving toward two-factor authentication for account access, Streeter said.
Chaplaincy Health Care provides hospice, palliative and behavioral health services, plus grief care. It also has chaplains at agencies throughout the Tri-Cities, from Kadlec Regional Medical Center in Richland to the Benton County jail.
The agency, which is headquartered in Richland and has facilities in Kennewick, employs about 150 people.
Trios Health in Kennewick had a different kind of information breach make headlines in 2017.
In that case, an employee looked at more than 1,600 electronic patient records outside of his or her job duties, violating federal patient privacy law. The improper access happened over about 3 1/2 years, starting in October 2013.
Officials at the time said they weren’t sure of a motive, but believed the employee meant no harm.
The unnamed employee was fired.
The Herald sought more information through a public records request, but the request was put on hold when Trios entered bankruptcy proceedings. The public hospital system emerged from bankruptcy last summer and was sold to a for-profit company.
If you have questions for Chaplaincy about the breach, call 855-659-8793 or email email@example.com.