Henderson & Walton Women’s Center P.C. (HWWC) has recently announced that it has experienced a data breach involving the exposure of the protected health information (PHI) of over 34,000 individuals. The Alabama-based female healthcare provider has said that the breach is the result of an unauthorized third-party gaining access to an employee’s email account.
HWWC initiated a forensic investigation with the help of a cybersecurity specialist as soon as they discovered the hacker’s entry to determine the nature of the attack and to identify what data had been exposed. By June 24, 2022, the healthcare provider determined that personal information had existed on the account. However, it was unclear whether the information had been exfiltrated. The personal information on the employee’s account included full names, date of births, Social Security numbers, driver’s license numbers, medical information, and health insurance information. The HWWC had sent breach notification letters to patients who had been affected by the attack. The healthcare provider has also posted the letter to their website to ensure all patients, including those affected but did not receive a letter in the mail, that some sensitive patient information had been obtained by the threat actors. HWWC maintained that not all affected patients had the same set of personal information contained within the email account.
HWWC has adopted additional security measures in order to better safeguard its system in response to this event. This includes implementing a new system for emails containing personal information that automatically erases such information after 3 days and updating security and privacy policies. The HWWC is also developing a system to completely stop the disclosure of personal information via email. The healthcare provider will also provide a year of complimentary credit free monitoring for affected patients. Affected patients may also contact HWWC’s representatives for further information regarding the incident. “We take your privacy seriously and we regret this cybersecurity incident”, stated Assistant Practice Administrator Stephanie Golden. “We apologize for any inconvenience caused.”