Physician staffing company EmCare has acknowledged that hackers gained access to data on about 31,000 patients, as well as about 30,000 of its employees and contractors. The company began sending notifications to those affected on Friday.
Plantation, Florida-based EmCare found out about the issue after discovering that an "unauthorized third party obtained access" to EmCare employees' emails. The company launched an investigation in February and saw that email accounts contained patient, employee and contractor personal information, such as name, date of birth or age and patient clinical data.
The company said in a statement that, to its knowledge, the information wasn't misused. EmCare also doesn't know of any person affected by fraud or identity theft connected to the data breach.
EmCare, which often staffs hospital emergency rooms, said it is continuing its investigation and is putting into place additional security measures, along with providing more employee training and reminders about email and IT security.
The company, a subsidiary of Envision Healthcare, apologized in a statement, saying it "remains committed to providing patients the highest quality of care and working with healthcare partners to improve the health of communities."
The EmCare data breach is the latest high-profile incident involving a healthcare company. Cybersecurity threats remain a big problem for the industry, with BakerHostetler's latest Data Security Incident Response Report finding healthcare once again topped industries for cybersecurity breaches in 2018.
According to cybersecurity firm Bitglass, the number of reported healthcare breaches dropped from 294 in 2017 to 290 last year, but the number of records breached grew from 4.7 million to 11.5 million. A recent HIMSS survey ranking cybersecurity, privacy and security as major healthcare executive concerns.
Human error is often a factor in these cases, which points to the need for additional training and reminders. A 2018 analysis of 1,138 breaches between 2009 and 2017 discovered that more than half originated within an organization.
The Institute for Critical Infrastructure Technology released a report earlier this month that provided strategies for hospitals, device companies and other industry groups to reduce cybersecurity vulnerabilities. Recommendations included more stakeholder collaboration, a national cybersecurity strategy and safe harbor provisions for HIPAA-covered entities that are breached despite following best practices.
Several trade groups, including the American Hospital Association, the Healthcare Leadership Council and CHIMA support such safe harbors, with the AHA saying they would "give covered entities clarity about the level of diligence they need to exercise."