Riverview Health has reported a significant data security incident that may have compromised the protected health information of certain individuals. The breach, identified on August 23, was the result of a social engineering attack that allowed an unauthorized individual to access a staff member's email account.
Upon discovering the intrusion, Riverview's security protocols quickly responded, terminating access within an hour. However, a subsequent investigation revealed that the compromised files contained sensitive patient information, including medical record numbers, admission dates, diagnoses, and personal details such as names, dates of birth, and sex. Importantly, no Social Security numbers or financial data were exposed.
Riverview Health is notifying affected patients and believes the risk of harm is low due to the nature of the information accessed. In accordance with federal law, the organization has also informed the U.S. Department of Health and Human Services Office for Civil Rights.
In an effort to prevent future breaches, Riverview is reviewing its policies on phishing and social engineering, as well as its electronic access controls. Patients concerned about their information are encouraged to monitor for suspicious activity and can reach out to Riverview for further assistance.