Information on about 2,300 patients at the University of Vermont Medical Center was accessible to hackers after two employees fell victim to a phishing scam in late May and early June, the hospital said.
No patients’ Social Security numbers or financial records were exposed, the hospital said in a statement Friday. But the compromised accounts contained “messages with patients’ information, which may have included names, addresses, medical record numbers and clinical information, such as diagnosis, treatment, and medications.”
All told, hackers could have accessed the information of around 2,300 patients. The medical center is mailing letters to affected people and has set up a hotline to answer questions: 800-383-5522.
The statement disclosing the attack said there is “no evidence that any patient information was used in any way.”
During the attack, many employees received emails designed to look as if they had come from within the medical center administration.
In two cases, employees fell for the scam and provided personal information, which allowed the hackers to briefly take control of their email accounts.
The medical center network security team deactivated the accounts almost immediately, the hospital said — as soon as its software detected the compromised email addresses sending out spam messages.
Heather Roszkowski, head of internet security for the UVM Health Network, said the hackers’ motives are a matter of speculation.
Keeping that in mind, she said, the contents of the outgoing messages sent by the compromised accounts suggest the attackers’ goal was increasing traffic to certain websites in order to make money from advertising.
Investigations by the medical center’s IT team and its security contractors did not determine the source of the attack. Roszkowski said that was because hackers typically veil their true location and identity behind layers of convoluted intermediate connections.
The UVM network security team is familiar with the organization that, at the surface level, appeared to have sent the phishing attempt. But Roszkowski said she’s confident it wasn’t the true source of the attack.
“I do not suspect them of having the hacker in their organization,” Roszkowski said. “I think they were victimized, and if you went back — if they were willing to release their information — we would see a chain where the hackers were bouncing off of various organizations to really hide their true identity.”
Michael Carrese, the UVM Medical Center’s media relations liaison, said this attack was the first breach in the history of the medical center’s employee network. The patient records system, he added, has never been breached.
Despite a good track record of cybersecurity, Roszkowski said, her department will review and enhance security protocols.
“You never get to the point where you feel like this is good enough,” Roszkowski said. “You are constantly improving your (security) environment because the threats are always changing, the technology is always changing.”