From a statement posted today:
Carolinas HealthCare System is notifying approximately 5,600 patients of Carolinas Medical Center-Randolph (CMC-Randolph) whose private information may have been breached by an unauthorized electronic intruder and approximately 700 additional patients of the affected provider as a precautionary measure even though no evidence has been found that their information was obtained by the intruder. The intruder obtained incoming and outgoing emails from a provider’s account without the provider’s or the hospital’s knowledge.
The security breach was discovered on October 8, 2012 following an upgrade in the hospital’s security software. Based on the investigation, the intruder obtained emails from the provider’s account between March 11, 2012 and October 8, 2012. Upon discovery of the breach, immediate steps were taken to prevent further access by the intruder to the affected email account. Carolinas HealthCare System hired a forensic investigator and notified federal law enforcement of the incident.
Based on information discovered through the investigation, most of the obtained emails did not contain patient information. While only five emails contained social security numbers, a number did contain some medical and other patient information. The emails appear to include one or more of the following: patient names, dates and times of service, provider and facility names, internal hospital medical record and account numbers, dates of birth, and treatment information, such as diagnosis, prognosis, medications, results and referrals. Potentially affected patients have been sent personal letters explaining the type of information involved.
At this time, Carolinas HealthCare System has no evidence that the information has been misused, and based on the investigation, no other email accounts or other computer systems (including the electronic medical records system) were found to have been affected by this incident.
Read more on their web site.