From the Blog

LMH announces phishing incident

Logansport Memorial Hospital was the victim of a hacking incident that may have resulted in unauthorized access to certain information about the Hospital's patients. On February 22, 2019, the Hospital became aware that an employee email account had been compromised through what is known as a phishing attack, where a malicious actor sought to obtain the employee’s username and password through a fake email that requested the employee to provide those credentials for a seemingly legitimate purpose. The Hospital immediately took steps to secure the account and ensure that the hacker no longer had access to it.

The Hospital initiated an investigation and learned on or about March 18, 2019, that the compromised email account contained patient protected health information. Since then, the Hospital has worked to identify the individuals and information potentially affected by the breach. While the Hospital's investigation was not able to definitively conclude whether the hackers actually accessed or obtained a particular individual's information, it would have been possible for the hackers to access and obtain patient information that was in the compromised employee email account.

The information potentially accessed by the hackers was primarily in the form of surgical schedules that were sent daily to the Hospital employee for use in legitimate job functions. The potentially compromised information included some or all of the following: patient name, date of birth, age, medical condition/diagnosis, allergies, phone number, medical record number, name of surgeon, and date/time of surgery. It is important to note that the information did not include any personal financial information, such as social security number or credit card information. This incident did not involve or affect the security of the Hospital's electronic medical record in any manner, and at no point was the Hospital unable to access the information needed to provide high quality health care services to patients.

The Hospital sent letters to each of its affected patients to inform them of this incident and to identify the steps that patients can take to protect themselves from the potential misuse of this information. Although no financial information was in the account, the Hospital suggests that patients who are concerned about their information consider contacting the three credit reporting agencies to place a fraud alert on their credit reports, and to monitor medical records and health insurance claims information for any indications of medical identity theft.

The Hospital has reported the incident to the U.S. Department of Health and Human Services Office for Civil Rights, which is the federal agency that oversees the privacy and security of patient protected health information.

Logansport Memorial Hospital deeply regrets that this incident occurred. The Hospital is committed to providing quality care and protecting PHI. The Hospital has established a call center to answer any questions that patients may have about this incident. Patients may contact the call center at (855) 424-2570 between 9 a.m. and 9 p.m. Eastern time, Monday through Friday.