Carolinas HealthCare System, Charlotte, N.C., is notifying about 6,300 patients that a provider's e-mail account was hacked earlier this year.
Notified individuals include 5,600 patients of the system's Carolinas Medical Center-Randolph, a 66-bed psychiatric and behavioral health hospital, and 700 additional patients of the affected provider, according to a Carolinas HealthCare System news release
. An "intruder" obtained access to incoming and outgoing e-mails from the provider's account between March 11 and Oct. 8, when the healthcare system discovered the breach during an upgrade of its security software, according to the release.
Five of these e-mails contained patients' Social Security numbers, and an unspecified number also contained some medical and other information, including "one or more" data elements, such as patient names, dates of birth, diagnosis, prognosis, medications, results, referrals, dates and times of service, provider and facility names, internal hospital medical records and account numbers, Carolinas HealthCare said in the release.
No evidence has been found suggesting that patients' information has been misused, according to the system. The North Carolina attorney general and HHS have been notified, and the system is offering free credit monitoring to affected patients, the release stated.
There have been 511 breaches reported to and posted on the website of HHS' Office for Civil Rights
involving the healthcare records of 500 or more individuals since a federal public-notice requirement for these breaches took effect in September 2009. Thus far, a little more than 8% of these posted breaches involved hacking, while just less than 3% were reported to have involved e-mail as the source of the breached information. The records of nearly 21.4 million individuals have been compromised by all of the breaches reported to the OCR under an amendment to the HIPAA privacy rule in the 2009 American Recovery and Reinvestment Act.