An unauthorized user recently accessed several employee email accounts at physician-staffing firm EmCare, compromising personal information from roughly 31,000 patients.
EmCare said it became aware of the data security incident "recently," leading to an internal investigation. It has engaged a forensic security firm to determine the scope of the breach, according to a notice the company posted online Saturday. EmCare determined on Feb. 19 that the email accounts in question contained patient data, including some names, dates of birth, clinical information and Social Security numbers.
An EmCare spokesperson said the company is not releasing information regarding when it learned of the breach.
"Our focus is on providing impacted individuals information about the incident and guidance on how they can protect themselves," she wrote in an email.
The breached employee email accounts contained personal information from up to 60,000 people, including roughly 31,000 patients, the spokesperson confirmed. Others affected in the breach included employees and contractors.
EmCare said it does not know if the unauthorized user obtained any of the personal information held in the breached email accounts. The company began notifying affected patients, employees and contractors Friday.
The incident is part of an industrywide rise in email breaches.
Since 2017, email has been the primary outlet through which data is exposed in healthcare. There were 85 email breaches in 2017—more than double the number reported in 2016—accounting for nearly one-quarter of all healthcare breaches. In previous years, healthcare organizations and their business associates were more likely to attribute breaches to theft of paper records or laptops.
