Roper St. Francis employee emails compromised

Listen to this article

An email security breach targeting Roper St. Francis Healthcare gave unauthorized access to employee email accounts late last year, but the health care system says it has seen no indication that patient information was misused.

In a statement, Roper St. Francis said it discovered on Nov. 30 that someone gained access to the email accounts of 13 employees after the employees received phishing emails, clicked on a link and provided their credentials. The person had access to the accounts between Nov. 15 and Dec. 1.

Phishing is the practice of sending a fraudulent email that appears to be from a trusted person or business in an attempt to deceive an individual into disclosing personal information. According to an internet security threat report (.pdf) from cybersecurity company Symantec, one in 2,995 emails sent in 2017 were phishing emails.

Roper St. Francis said it hired a forensic security firm to investigate the breach and its effects. The firm found that the email accounts contained some sensitive information, including patients’ names, medical record numbers, services received and health insurance.

The attack did not affect hospital operations and the electronic medical record system was not accessed. Roper St. Francis mailed notification letters to patients whose information may have been affected and is offering complimentary credit monitoring and identity protection services for 25 patients whose Social Security numbers and financial information were in the affected employee emails.

Roper St. Francis said it is enhancing its email security and continuing education with staff on email protection to prevent another attack from happening.