UConn Health email breach compromises data from 326,000 patients

An unauthorized user accessed a "limited number" of employee email accounts at UConn Health last year, compromising personal data of more than 326,000 patients, according to a Feb. 22 notice from the health system.

The UConn Health did not specify when it learned of the breach. However, the Farmington, Conn.-based health system confirmed that it determined on Dec. 24 that the affected email accounts contained such personal information as names, dates of birth, Social Security numbers and medical data—including billing and appointment information—from some patients.

UConn Health declined to comment on the number of employee email accounts breached and how long the unauthorized user had access to the accounts.

The health system said it is offering free identity theft protection services to the roughly 1,500 patients whose Social Security numbers were compromised.

UConn Health reported 326,629 patients were affected in the incident to the HHS' Office for Civil Rights, which maintains the government's database of healthcare data breaches. UConn Health said it could not isolate what information the unauthorized user accessed or viewed, and therefore is including all patients whose information was held in the affected email accounts.

Healthcare organizations and their business associates have submitted nearly 50 incidents to the OCR's breach portal so far this year, the majority of which are classified as "hacking/IT."

The UConn Health incident represents the largest breach posted to the OCR's breach portal so far in 2019, although it is not the largest breach disclosed this year. On Feb. 20, UW Medicine in Seattle disclosed a website vulnerability that exposed protected health information from an estimated 974,000 patients in December 2018.

HIPAA-covered entities, such as hospitals, are required to notify HHS of breaches affecting 500 or more people within 60 days from when they discovered the incident. UConn Health submitted information on its email breach to the federal agency Feb. 21.

"We take our responsibility to safeguard personal information seriously and apologize for any inconvenience or concern this incident might cause," the health system wrote in its Feb. 22 notice. "We have taken and will continue to take steps to help prevent something like this from happening again, including evaluating additional platforms for educating staff and reviewing technical controls."