By HFT Staff

Aultman Hospital experienced an email phishing incident, and this notice explains the incident and measures that have been taken. 

Aultman first became aware of the incident on April 24, 2024, after phishing emails were sent from one employee’s email account without their knowledge. Upon learning of this, Aultman secured the employee’s account and launched an investigation. The investigation confirmed that this incident was limited to just one employee’s email account and did not involve their electronic health records systems. Additionally, this incident did not disrupt their services or operations.  

Their investigation further determined that an unauthorized party accessed the Aultman employee’s email account between the dates of April 22 and April 24, 2024. Although the likely purpose of the unauthorized access to the employee’s email account was to perpetrate a phishing email scheme, the investigation cannot rule out the possibility that the unauthorized party accessed emails and attachments in the employee’s email account. Therefore, out of caution, Aultman is conducting a manual review of the employee’s mailbox’s contents. Through their ongoing review, they identified emails and attachments that contain patient information, including patient names and medical record numbers. These emails and attachments also may contain dates of birth, addresses, patient account numbers, health insurance identification numbers, diagnoses and/or treatment information.  

On June 21, 2024, Aultman began mailing letters to patients whose information may have been involved in the incident. To help prevent something like this from happening again, they have increased cybersecurity training and implemented additional safeguards and technical security measures to further protect and monitor our systems.