The breach allowed unauthorized individuals to gain access to Beacon employee email boxes, which exposed personal and protected health information of some individuals, including patients, according to a news release. Beacon began mailing letters to affected individuals Friday.
But Beacon, which oversees Memorial Hospital in South Bend and Elkhart General Hospital, said there "is no evidence of any actual or attempted misuse of personal or protected health information belonging to Beacon Health System patients."
The cyberattack was discovered in March, but the unauthorized access of emails began as early as November 2013, according to Beacon. The last date of access into any email box was Jan. 26, 2015. On May 1, after an extensive review of the attack, Beacon was advised that protected health information was contained in the affected emails.
"While there is no evidence that any sensitive information was actually viewed or removed from the email boxes, Beacon confirmed that patient information was located within certain email boxes," Beacon's news release read. "The majority of accessible information related only to patient name, doctor's name, internal patient ID number, and patient status (either active or inactive)."
The accessible information included: Social Security number, date of birth, driver's license number, diagnosis, date of service, and treatment and other medical record information, according to Beacon.
Beacon is providing affected individuals with access to one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and an identity theft protection specialist. According to Beacon, it's also reviewing its policies and procedures and is implementing additional measures to prevent an incident like this from happening again.
Beacon is the most recent victim of an increasing number of cyberattacks on health care companies. In February, Indianapolis-based Anthem found hackers broke into a database storing information on 80 million people. The Blue Cross Blue Shield insurer said names, birth dates, email address, employment details, Social Security numbers, incomes and street addresses of people who were currently covered or have had coverage in the past were accessed.
Although Beacon says it has found no evidence of patient information is being misused, fraud experts urge people not to wait for notification to act. Instead, they recommend that people register for a credit freeze, also known as a security freeze, with the three credit reporting bureaus — Equifax, Experian and TransUnion. That will prevent someone from taking out a line of credit in your name without your permission, but still allow you to use your credit cards. And it can be lifted at any time if you want to apply for a credit card or loan.
©2015 the South Bend Tribune (South Bend, Ind.) Distributed by Tribune Content Agency, LLC.
