Charleston Area Medical Center Reports data breach

[swidup]

https://www.camc.org/sites/default/files/2025-02/2025-02-03%20-%20CAMC%20-%20Substitute%20Notice%20-%204908-3837-5706.1.pdf

"At Charleston Area Medical Center, Inc. (“CAMC”), we are committed to protecting the
confidentiality and security of your personal information. We are posting this notice because
CAMC was recently the victim of an email phishing attack that may have resulted in unauthorized
access to certain patient, personal information. At this time, we are not aware of any misuse of the
personal information potentially affected by this incident.

WAS I AFFECTED BY THIS INCIDENT?
CAMC is in the process of providing separate, written notification to affected individuals for
whom we have mailing addresses. We are posting this notice pursuant to Federal law for those
individuals for whom we did not have addresses.

WHAT HAPPENED?
On October 2, 2024, CAMC discovered that a small number of email users were the subject of a
phishing attack. We promptly began investigating this incident with the assistance of a respected
forensic security provider, and took steps to terminate any unauthorized access to CAMC’s email.
Our investigation ultimately concluded that an unauthorized party gained access to a single
CAMC user’s email mailbox between October 2, 2024 and October 3, 2024. No other CAMC
systems or data storage were impacted by this incident. After a review of the affected mailbox,
we ultimately determined that your information may have been impacted.

WHAT INFORMATION WAS INVOLVED?
The information that may have been impacted varied from person to person, but may have
included: first and last name; date of birth; e-mail address; phone number; Social Security
number; driver’s license; health information, and health insurance information."

[swidup]

https://www.hipaajournal.com/email-breaches-kansas-west-virginia-medical-centers/

"Charleston Area Medical Center in West Virginia has discovered a small number of employees were targeted in a phishing attack. The unauthorized access was blocked, and a third-party cybersecurity company was engaged to conduct forensic analysis, which confirmed that an unauthorized third party gained access to a single email account between October 2, and October 3, 2024. No other systems were accessed; however, the email account contained patients’ protected health information.

The data involved varied from individual to individual and may have included first and last names, dates of birth, email addresses, phone numbers, Social Security numbers, driver’s license numbers, health information, and health insurance information. Additional technical security measures have been implemented, and additional cybersecurity training is being provided to the workforce. The substitute breach notice does not mention credit monitoring or identity theft protection services. The affected individuals have been advised to monitor their medical account statements and to report any misuse of their data.

The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected."