LITTLE ROCK, Ark. (KATV) — An intruder gained access to patient and physician information at Conway Regional Medical Center after an email phishing attack, according to a letter sent to patients.
Patients who may have been affected were notified last month. In a letter dated Aug. 23, the hospital system says the breach was discovered in June after "unusual activity" surrounding employee email accounts was detected.
Patient names, addresses, Social Security numbers, health insurance information and "limited" medical information may have been accessed as part of the data breach, Conway Regional Health System said in a statement Wednesday. The hospital system said it had not found any incidents where the information was misused. It did not say how many patients were affected.
The hospital system said it's reviewing information security policies and procedures to minimize the risk of another data breach.
Conway Regional Health System released the following statement:
Conway Regional is committed to protecting our information systems and continues to take steps to guard against cybersecurity threats. We care greatly about our patients and sent letters to those affected as soon as possible to make them aware of a potential risk to their information. At this time, we are not aware of any misuse of any personal information.
A recent email phishing scam resulted in the potential compromise of information for certain patients. We identified suspicious activity on certain employees’ email accounts and immediately began an investigation to determine what happened and what information was at risk.
After a thorough internal and external investigation by cybersecurity experts, we did not identify that any individuals’ information was accessed, but out of an abundance of caution we notified those individuals whose information was contained in the email account. Each individual was sent a letter describing the information specific to them that we identified in the email account. All individuals were provided resource information in the event they have questions.
We take the security of the information in our possession seriously and we regret any concern that this incident causes and remain committed to protecting patient information.