Some patient information at Medical College of Wisconsin accessed after phishing attack
MILWAUKEE (CBS 58) – The Medical College of Wisconsin has notified certain patients about a recently discovered security incident involving a limited number of MCW employee email accounts.
The hospital learned that a small number of faculty and staff were victims of a spear phishing attack to their email system. MCW promptly disabled the impacted email accounts, required password changes to the compromised accounts, maintained heightened monitoring of the accounts and commenced an investigation.
Since completing the investigation and manual document review, on September 20, MCW concluded that an unauthorized third party accessed a limited number of email accounts belonging to MCW employees that contained patients’ protected health information. The investigation further determined that the compromise of the email accounts occurred between July 21 and July 28, 2017, but the forensic firm could not definitively conclude if any information was actually accessed, viewed, downloaded or otherwise acquired by the unauthorized user.
Patient information dealing with names, home addresses, dates of birth, medical record numbers, health insurance information, dates of service, surgical information, diagnosis/condition, and/or treatment information could have been accessed. Social Security numbers and bank account information for a very small number of patients were also contained within the affected email accounts.