Cyber Incident Victim: Frederick Regional Health System

Frederick Regional Health System discovered unauthorized access to an employee's email account on January 21, 2019, resulting from a phishing attack. The organization immediately secured the compromised account and initiated an investigation to determine the scope of the incident. The investigation revealed that the email account contained protected health information of certain hospice patients who received services between June 2017 and January 2019. Exposed data included patient names, health insurance types, health insurance identification numbers, and in some cases, Social Security numbers. The breach did not impact all system patients or even all hospice patients, only a subset within the specified timeframe. There was no evidence suggesting misuse of the compromised information at any point during or after the incident.

The health system mailed notification letters to affected individuals on March 18, 2019, advising them to review insurance statements for unauthorized charges. A dedicated call center (1-844-582-5075) operated weekdays from 8 a.m. to 5 p.m. was established to address patient inquiries, with instructions for non-recipients to contact them by April 11, 2019. Eligible patients received complimentary one-year credit monitoring and identity protection services. Frederick Regional acknowledged prior cybersecurity investments and committed to implementing additional security enhancements while expanding staff email training programs. The organization expressed regret for potential patient concerns but emphasized no evidence of data misuse had been detected through their investigation.