Trinity Health Of New England discloses employee email breach that exposed patients' personal data

Trinity Health Of New England recently informed patients of a December data breach that compromised personal identifying information, payment information and care details, the organization said in notices and statements.

The four-hospital system—part of the 26-state Trinity Health Corporation—wrote in a March 3 online posting that it learned of “unusual activity in an employee’s email account and conducted an investigation,” which found about three days of unauthorized account access from Dec. 16 to Dec. 18.

The organization’s subsequent review of the compromised account found that it contained the names, medical record numbers/patient ID numbers, encounter numbers, locations of service, provider names and specialties, procedure names, insurance names/type, billing balances and dates of birth of “a limited number of patients,” Trinity said in the notice.

Additionally, a “very limited number of patients” had their addresses, phone numbers, email addresses and prescription information included in the compromised account, Trinity said.

The health system said its review showed no evidence that the information was misused and that “the likelihood of any misuse is low.” Trinity said it has since reviewed its data protection policies and procedures and changed the password credentials of the compromised account.

“At Trinity Health and Trinity Health of New England, safety is a top priority—including the safety of personal information,” the health system told Fierce Healthcare in an email statement. “We took immediate action and launched our own internal investigation as soon as we were notified of the security incident. We take these matters seriously and follow all the regulatory reporting requirements related to privacy and security incidents.”

Trinity also filed a notice regarding the breach with the Massachusetts attorney general and sent a letter to those who were impacted on March 9, according to JD Supra.

Trinity did not disclose the number of affected patients in its online notice or email statement; however, JD Supra’s review of the regulatory filing references “tens of thousands of patients” whose data was leaked due to the breach.

As a whole, Trinity Health reported $21.5 billion in revenue and about 1.3 million patients during the 2022 fiscal year ended June 6. The Catholic system had noted in its most recent earnings report that its finances were affected by a high-profile cyberattack on CommonSpirit Health and its MercyOne assets, which Trinity purchased last year.

Employee accounts are a common entry point for bad actors. In a worst-case scenario, they can serve as a foot in the door for the ransomware attacks that have lately seen an uptick within healthcare.