Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Healthcare Firm EmCare Says 60,000 Employees and Patients Exposed in Breach

Dallas, Texas-based firm EmCare Inc disclosed on Saturday that a number of employees’ email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

Dallas, Texas-based firm EmCare Inc disclosed on Saturday that a number of employees’ email accounts had been accessed, potentially exposing personal information of almost 60,000 people, including 31,000 patients.

EmCare, part of Envision Healthcare, provides outsourced physician services to hospitals around the U.S. It has more than 700 practices at locations ranging from major hospitals and health systems to rural hospitals and ambulatory care centers.

In an incident notice statement published on its website on Saturday, April 20, 2019, EmCare said that it had discovered on February 19 that a third-party had gained unauthorized access to certain employees’ email accounts. It said that these accounts “contained some patients’, employees’ and contractors’ personal information, including name, date of birth or age, and for some patients, clinical information. In addition, in some instances, Social Security and driverís license numbers were impacted.”

The statement does not say how many accounts were accessed, nor how many people’s personal information was contained within them. It later told Bloomberg that it may be almost 60,000 people, and that 31,000 were patients. There is no indication of how the unauthorized access was achieved.

The statement attempts to minimize the impact of the breach. EmCare has no evidence that any personal information has been misused, or that anyone will attempt to misuse the information. It is not aware of any person who has been impacted by fraud or identity theft because of the incident; and doesn’t even know if any personal information was actually obtained by the intruder.

However, if the company cannot say that data was taken, it equally cannot say that it wasn’t taken. And similarly, while no victims of fraud are currently known does not mean that fraudsters will not attempt to misuse any stolen data in the future.

What is perhaps a little surprising is that although the incident was discovered onFebruary 19, it wasn’t until April 19 that the company began to send “written notification to all potentially impacted individuals for whom it has contact information.” For those employees and patients whose social security number or driving license number were impacted, EmCare has arranged a credit monitoring account with Experian’s IdentityWorks.

Equally surprising, and a little disturbing, is that EmCare’s policy allows its employees to keep patients’ ‘clinical information’ unencrypted within their email accounts.

Related: Managed Healthcare Provider Humana Discloses Data Breach 

Related: Why Healthcare Security Matters 

Related: These Were the Top Threats Targeting Healthcare Firms in Q4 2016 

Related: Healthcare Was Most Attacked Industry in 2015: IBM 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.