An unauthorized third party gained access to an employee's email account at a New York ACO that contained a spreadsheet of information for around 25,000 patients, according to The Post Star.
Plattsburgh, N.Y-based Adirondacks Accountable Care Organization has notified the hospitals and medical centers in its system. The data breach happened between March 2-4 when two employees were emailing back and forth about patients who had missed a baby wellness exam. The employees planned to email the spreadsheet to physicians as part of its "population health" analysis, reports The Post Star.
While the hacking incident was not a phishing attack, the ACO said it was unavoidable for employees. It is unclear if patients' information was viewed. On the spreadsheet, patients were identified by their names and birth dates, Social Security numbers or health insurance numbers.
The ACO sent out letters to 20,000 patients last week. On July 12, the agency mailed 5,000 more patients. Adirondacks ACO has offered patients free credit monitoring and identity protection. Patients are advised to review medical bills or explanation of benefits statements.
Editor's note: This article was updated July 16 to indicate the ACO is in New York.