CMC Data Breach: Patient Info Exposed Via Vendor Phishing

The announcement comes amidst financial challenges faced by CMC, which recently laid off 54 employees and reduced hours for others.

by Samiksha Jain April 23, 2024 in , Firewall Daily Reading Time: 4 mins read 0

589 SHARES 3.3k VIEWS Share on LinkedInShare on Twitter

(CMC) in Manchester, New Hampshire, revealed on Monday that nearly 2,792 patients may have had their personal and health information compromised in a third-party data security incident. The hospital stated that affected individuals will be notified by mail this week as the hospital works to address the .

The CMC data breach is attributed to Lamont Hanley & Associates Inc. (LH), a vendor providing account receivable management services to CMC. The unauthorized access to certain files containing sensitive patient data occurred during an incident at LH, impacting not only CMC patients but also other clients of the vendor.

Response to CMC Data Breach

According to the hospital, LH detected the breach on June 20, 2023, after an unauthorized party accessed an employee email account through a phishing attempt. Despite immediate action taken by LH to contain and secure the email environment, concerns lingered about potential data access or acquisition by unauthorized party.

“On March 6, 2024, LH notified CMC that on June 20, 2023, it discovered one employee email account was accessed by an unauthorized party via a phishing attempt. Upon detecting the incident, LH commenced an immediate and thorough investigation, contained and secured the email environment, and changed the password to the affected email account,” reads the official notice.

Although LH's investigation did not definitively confirm data access, a comprehensive review conducted on February 28, 2024, identified specific personal information present within the compromised email account.

“Out of an abundance of caution, LH conducted a comprehensive review of the affected email account, and on February 28, 2024, determined the specific personal information present within the account,” the notice reads further.

This information includes names, Social Security Numbers, dates of birth, medical and claim information, health insurance details, individual identification data, and financial account information.

CMC emphasized its commitment to patient privacy and security, stressing ongoing efforts to understand the incident's cause and LH's assurances of enhanced cybersecurity measures. Additionally, LH is offering complimentary credit monitoring services to eligible individuals affected by the breach.

While CMC's network remained unaffected by the , the hospital maintains a strong cybersecurity program and mandates contracted vendors to implement stringent safeguards for securing sensitive information.

Affected individuals will receive notification letters this week, with LH establishing a dedicated toll-free response line for inquiries and additional information.

“For those individuals who have been identified, they will receive a letter in the mail this week. For those who have questions or need additional information regarding this incident, LH has established a dedicated toll-free response line at 1.833.792.8144,” informed, the hospital.

The response line operates Monday through Friday, 8 AM to 8 PM Eastern Time, excluding holidays, to assist those affected by the breach.

As data breaches continue to pose significant risks to individuals' privacy and security, CMC and LH urge affected patients to remain vigilant by monitoring financial account statements, explanation of benefits, and credit reports for any fraudulent or irregular activity.

Additionally, they encourage individuals to consider placing fraud alerts or security freezes on their credit files for added protection against identity fraud.

Financial Challenges and Layoffs

The announcement comes amidst financial challenges faced by CMC, which recently laid off 54 employees and reduced hours for others.

President and CEO Alex Walker announced the layoffs to staff in a memo Thursday. The hospital will also cut some workers' hours and eliminate a number of open positions, reducing overall staffing levels by the equivalent of 142 full-time positions.

Walker said rising costs, lower reimbursement for services, shifting demographics and changes in the payor mix — the share of patient revenue that comes from Medicare and Medicaid vs. privately insured and self-paying patients — had all contributed to the hospital's “financial stress.”

This comes as Catholic Medical Center is in negotiations to be acquired by HCA Healthcare, the for-profit health care giant that also owns hospitals in Portsmouth, Rochester and Derry, and elsewhere across the country.

Walker told NHPR last fall that the deal is necessary for the hospital's long-term financial viability.

Catholic Medical Center says it hopes to reach a final agreement with HCA soon. The deal would still need approval from state regulators.

The New Hampshire Department of Justice blocked a proposed merger between Catholic Medical Center and Dartmouth Health in 2022, saying it would reduce competition and potentially drive up prices.

Amidst these financial challenges, CMC faces yet another hurdle with the recent data breach incident, adding more troubles to its kitty.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button