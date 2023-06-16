Atrium Health Wake Forest Baptist reported Friday a data breach that potentially affected an unspecified number of patients.

The breach occurred between April 18 and April 20 and involved the phishing of an employee email account by an unauthorized third party.

Phishing typically is defined as an email that looks like it is from a trustworthy source, but it is not. The phishing email misleads the recipient into sharing or providing access to their account login information.

Affected could been patients whose medical and other information was located in the files used by the employee. Baptist could not be reached to determine which of its Triad and Northwest North Carolina operations were affected.

"There is no evidence any patient information was viewed as a result of the phishing attack," Baptist said in its news release.

Information that could have been accessed includes: patient names; dates of birth; Social Security numbers; hospital account record numbers; health insurance information; and treatment cost information and/or clinical information, such as dates of service, provider names or location of service.

Baptist said it is mailing notification letters to patients whose personal information could have been exposed. Patients whose Social Security numbers were noted in the data involved are being offered complimentary credit monitoring and identity protection services.

A call center where individuals can get additional information or ask questions about the phishing incident is available at 866-547-5833 from 9 a.m. to 6:30 p.m. weekdays.

Baptist said its electronic medical record systems are separate from its email system and were not affected by the breach.

The system said it became aware of the phishing incident on April 20 and secured the affected email account.

Baptist officials said that an investigation confirmed the unauthorized third party did not gain access to additional employee emails. The system hired a computer forensic firm to assist with its investigation and notified law enforcement of the breach.

"It is not possible to conclusively determine whether the unauthorized party actually viewed any emails or attachments in the email account," according to the Baptist news release.

"The forensic examination indicates the activity of the unauthorized third party was not focused on content in the employee’s email box pertaining to medical or health information."

In May 2021, Baptist affiliate Lexington Medical Center reported that some patients were affected by a data breach into the information technology platform of former third-party vendor Healthgrades Operating Co. Inc.

Healthgrades had assisted the hospital with patient and community education about health matters and services.

The hospital said it was informed of the data breach on Jan. 29, 2021, and that the breach had occurred between Oct. 16 and Oct. 20, 2020.

Healthgrades determined that a server included hospital patient information in some backup files.

The hospital said “it has received no indication that any information involved in the incident has been misused.”