On September 16, 2024, Elitecare Emergency Hospital notified the U.S. Department of Health and Human Services Office for Civil Rights about a network breach that compromised the sensitive information of 24,754 individuals.
On July 10, 2024, Elitecare Emergency Hospital detected suspicious activity on their computer network. Elitecare disconnected its systems and worked with external cybersecurity experts, ultimately confirming that the incident was a cyberattack.
The exposed information includes names, Social Security numbers, driver’s license numbers, addresses, dates of birth, phone numbers, email addresses, health insurance details, medical information, and payment data.
On September 16, 2024, the hospital sent breach notification letters to the affected individuals.
In the Elitecare HIPAA substitute notice, the organization states, “Elitecare takes the privacy and security of your PHI very seriously, and our review of the incident is ongoing.”
“Although we have not detected any attempted or actual misuse of your PHI, Elitecare is providing this notice to help you understand what happened, let you know that your information may have been impacted, and give you information on steps you can take to protect your privacy. We are also offering to provide you with two years of complimentary credit monitoring and identity theft protection services at no cost to you.”
Protected health information (PHI) refers to all individual health information that identifies an individual. It is also health information that is electronically, on paper, and orally shared. Good examples of PHI are the patient's name, address, birth date, Social Security numbers, medical records, lab results, and insurance information.
The Health Insurance Portability and Accountability Act of 1996 requires healthcare providers, insurers, and their business associates to protect PHI against unauthorized access, uses, or disclosures.
Related: HIPAA Compliant Email: The Definitive Guide
Cybercriminals often attack the healthcare industry because a patient's record contains so much personal and financial information. Once the data is compromised, those cyber criminals sell them on the dark web for money, making healthcare organizations a prime target for ransomware attacks and data breaches.
Patients who received a breach notification letter from Elitecare Emergency Hospital, must keep monitoring their accounts and report suspicious activity. These patients can also seek legal action for the damages caused.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.