12/17/2018

NOTICE REGARDING DATA SECURITY INCIDENT

The University of Vermont Health Network – Elizabethtown Community Hospital takes seriously the privacy and confidentiality of our patients’ information. Regrettably, this notice is regarding an incident involving some of that information. 

We are notifying individuals potentially affected by a recent data security incident in which, for a brief period of time, an employee’s email account was remotely accessed by an unauthorized user. We completed an initial 60-day investigation of the incident and have no evidence of any fraud or identity theft to any individual as a result of this incident. 

The incident, which occurred on October 9, 2018, was limited to one employee’s email account and did not involve the hospital’s computer networks or electronic medical records, nor did it involve the email or information technology systems at any of the Network’s other affiliates. Upon learning of the incident on October 18, 2018, we immediately took action, including changing passwords, implementing enhanced security features and engaging a leading forensic security firm to assist with the investigation. 

We are very sorry this has happened. We take seriously our responsibility to protect the privacy and confidentiality of the personal information of our patients and employees. To help prevent something like this from happening in the future, we have taken organization-wide steps to enhance the security of our email system, and we are reinforcing education with our staff to assure protection of patients’ information. 

Although the hospital has no evidence that any personal information was viewed or used by an unauthorized party, as part of the investigation, we searched for any personal information in the email account that may have been viewed.  We determined that the email account contained individuals’ personal information, including some individuals’ names, dates of birth, addresses and limited medical information; primarily information associated with billing such as medical record numbers, dates of service and a brief summary of services provided.  The account also contained the Social Security numbers of some individuals.  

We are notifying the 32,000 potentially-affected individuals. The notification will include information on steps individuals can take to protect themselves against potential fraud or identity theft. The 1,200 individuals whose Social Security numbers were included in the email account will be offered free credit and identity theft monitoring services. We have also set up a dedicated call center for patients and others.

While we haven’t determined that any individual record was accessed, we are taking a broad approach in notifying anyone who could possibly be affected by this incident so they can take proactive measures to protect their information. Through our ongoing investigation, it’s possible that we’ll find that fewer individuals were affected.

If additional information becomes available, it will be posted on this website.   Concerned individuals can also reach our call center at 1-877-845-7516 between 9 a.m. and 9 p.m. EST, Monday through Friday.