A friend who accessed a laptop and the email account of an employee of Saint Louis University School of Medicine is being blamed for a data breach at the organization.
The unmonitored access of the email account occurred between April 20 and September 3; the university learned of the breach on September 23, and then it took steps to secure the employee’s email account.
Investigators from a computer forensic firm could not determine if any emails or attachments in the account were viewed by the unauthorized individual.
“We therefore conducted a review of the emails and attachments contained in the email account to identify patient information that may have been in the account,” Washington University School of Medicine told affected patients in a notification letter.
The review found 11 types of protected health information at risk, including Social Security numbers. The breach affected only patients of the school’s ophthalmology department, which were the patients who had information contained in the employee’s email account.
The school said the information of 3,237 individuals was affected. Patients with Social Security numbers at risk will receive credit monitoring and identity protection services.
“We recommend that affected patients review any statements they receive from their health insurers or providers and if they see charges for services not received to contact the insurer or provider immediately,” patients were told.
University School of Medicine also apologized to patients. “We regret any concern or inconvenience this incident may cause,” the school told patients. “We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff on best practices for passwords and are making additional security enhancements.”