California-based Torrance Memorial Medical Center began notifying patients Monday that two email accounts containing work-related reports were hit by a phishing attack in April.

Officials discovered unauthorized access to two email accounts on April 20. The unauthorized accessed occurred on April 18 and 19. An investigation confirmed personal patient information was contained in some of the breached emails, and officials couldn’t determine if patient data was accessed.

Hackers potentially gained access to names, dates of birth, addresses, phone numbers, medical record numbers, Social Security numbers, health insurance data and other diagnostic information.

The hospital is offering a year of free credit monitoring to all affected patients.

[Also: Breaches like Molina Healthcare's show why you can't skimp on security]

The medical center reported the incident to the U.S. Department of Health and Human Services, California Department of Health and the FBI. Officials didn’t reveal how many patients were affected, and the incident is not on the Office of Civil Rights’ breach reporting site.

Torrance Memorial exercised caution in reporting the incident to HHS. Many organizations struggle with knowing when to report a ransomware or phishing incident. Whether or not a phishing incident is defined as a breach under HIPAA is determined case-by-case.

Under HIPAA, a breach is defined as “…the acquisition, access, use or disclosure of PHI in a manner not permitted under [HIPAA] which compromises the security or privacy of the PHI.” As the hospital couldn’t rule out whether the hacker was able to access patient information, HIPAA rules would likely determine the security incident a breach.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn