By HFT Staff

Riverview Health (Riverview) is providing notice of a recent data security incident that may have affected certain individuals’ protected health information. The incident resulted from a social engineering attack that led to the compromise of a staff member’s email account by an unauthorized individual.

On August 23rd, 2024, Riverview discovered that access to one of its staff member’s e-mail accounts had been compromised by an unauthorized individual, leading such individual to have access to the compromised e-mail account as well as certain electronic files. Upon access to the staff member’s account, Riverview’s security mechanisms promptly identified the threat, and access was terminated in less than one hour from the start of the intrusion.

After further investigation, Riverview confirmed on September 3rd, 2024, that the accessible files contained certain protected health information, which may have included medical record numbers, admission dates, diagnosis and medical information, names, dates of birth, and sex. No social security numbers, financial information or bank account numbers were exposed. Although the access was terminated shortly after it was obtained, Riverview is notifying the patients whose information may have been exposed.

Riverview believes that due to the limited information contained in the exposed files, the risk of compromise or harm to patients is low. However, Riverview is taking this matter very seriously and is identifying internal and external processes to prevent future recurrences. This includes reviewing policies around phishing and social engineering attacks, as well as evaluating methods and procedures around electronic access and controls.