Data breach at Aultman Hospital may have compromised some patients’ personal information

CANTON, Ohio-- Administrators at Aultman Hospital in Canton are advising some of their patients that information about them may have been compromised in a recent data breach.

Tim Regula, vice president of compliance and audit for Aultman Health Foundation, says the breach happened after they noticed an increase in phishing emails to hospital accounts earlier in the year.

Phishing emails are bogus emails that appear to be from legitimate senders asking for confirmation of passwords or other security information.

Regula says in this case the emails asked employees to open an electronic document they were told needed their signature.

"Unfortunately, a few of our employees fell victim to that and clicked on them and maybe entered some information; we are not sure what, but that's our best suspicion is that's what started it," said Regula.

Regula said although a small number of accounts, as few as eleven, were compromised, the breach gave the sender access to other emails that may have contained sensitive information.

"There was patient information; there was social security numbers, driver's license, medical record numbers. Some of them had chief complaint or a doctor's name and so, like I said, it was bits and pieces of all of those or just maybe one of them," said Regula.

The hospital says the access was limited to a specific email account and did not compromise electronic medical records or other sensitive data.

Dr. John Nicholas, who runs the University of Akron's Cyber Security Degree program, says phishing is a constant threat for both individuals and companies.

"There's always going to be some clue; often times it's a misspelled word -- look for the grammar, look for anything that sounds like maybe not a native English speaker has written it, so if it looks fishy, pun intended, get ahold of your IT department immediately," said Nicholas.

"If they are asking for a user name and a password, most companies already know that so they won't have to ask you for that, so if you click on that once you have entered that information and all bets are off; everything is gone," said Nicholas.

The hospital says they believe the sender was looking for financial information such as wire transfers.

Regula believes none of the compromised information has been misused.

"I guess, first of all, we are sending letters to individuals to notify them that this happened and those that we are able to identify had their social security number or driver's license included will get a letter that includes an offer for one year of free credit monitoring," he said.