OSWEGO — Oswego Health has notified an unspecified number of patients about a potential leak of personal information via an employee email account earlier this year.
In a letter sent to affected patients, Oswego Health said it had discovered “potential unauthorized access to an employee email account” between June 11 and June 15. The letter was dated Sept. 30, 2020, but officials did not elaborate on when or how the potential leak was discovered.
The healthcare provider said it acted “immediately” to secure the email account in question and launched an in-depth investigation to determine the nature and scope of the incident.
Following a “thorough and exhaustive review process,” Oswego Health determined that the relevant emails contained patient information including name, birth date, physician name and medical diagnosis. A limited number of people also had Social Security numbers and driver’s license information impacted.
Oswego Health officials said its investigation has found no evidence that any of the exposed information had been misused. Out of an abundance of caution, however, officials said they would notify potentially affected individuals, as well as state and federal regulators.
In response to questions about the possible data leak, Oswego Health issued a statement in which they outlined the scope of the breach and remedies that can be taken.
“Oswego Health takes information privacy and security matters seriously and will remain vigilant in its efforts to safeguard and protect patient information, while taking any additional steps that may be necessary to mitigate and remediate this incident,” Oswego Health officials said.
In addition to notifying potentially affected individuals, Oswego Health has established a dedicated toll-free phone line (888-905-0048) to handle questions. Oswego Health said it will also make available 12 months of complimentary credit monitoring.
Oswego Health treats thousands of patients each year at its 132-bed Oswego Hospital and 32-bed behavioral health unit located on Bunner Street in the city of Oswego. A new behavioral health center is under construction and nearing completion in the location of the former Price Chopper grocery store between East First and East Second streets near the Port of Oswego Authority. Oswego Health handles even more patients at its two urgent care clinics and dozens of other facilities it operates.
Lorraine Lighthall, of New Haven, received two notification letters from Oswego Health regarding the potential leak. One was for herself; the second was addressed to her late husband, who passed away in 2019.
When the letters arrived in the mail last week, Lighthall said she initially set them aside.
“At first I ignored it,” she said. “I wasn’t too worried about it.”
The fact that one of the letters was addressed to her late husband and that there had been no public announcement made her question whether the letters were genuine. Lighthall said she was still mostly unconcerned, but wished Oswego Health had made an announcement in addition to notifying affected individuals.
“Just so we knew if it was real,” she said.
The exposure of private medical information is a growing problem. According to a study published in the Journal of the American Medical Association, breaches involving more than 176 million health records were reported nationwide from 2010-2017.