Data Incident Notices | South Texas Health System
May 2023
South Texas Health System - Edinburg ("our Facility") is providing notice of an incident through which patients’ protected health information (“PHI”) may have been accessed. Letters were mailed on May 17, 2023 to any potentially affected patient who was associated with a mailing address in our systems.
What Happened
On January 18, 2023, our business associate became aware of suspicious email activity in an authorized user’s email account and determined that, on or about January 9, 2023, this user’s email account had been accessed without authorization as a result of a phishing incident. “Phishing” means that the user was tricked into sharing login information which enabled an unauthorized person to access the email account. Our business associate immediately reset the account credentials and launched an investigation into the nature and scope of the incident. The investigation found that the user’s email account was only accessed through a web browser, and while certain emails may have been accessed by the unauthorized person, there is currently no evidence that suggests any PHI in the emails were the target of the attack or otherwise copied or misused in any way. Nevertheless, an extensive effort was made to match patient information in the emails with available mailing addresses in our system, and our Facility is providing notice of the incident to impacted patients in an abundance of caution and so they can take steps to protect their information if they find it appropriate to do so.
What Information Was Involved
The potentially impacted emails contained the patient’s full name, patient account and/or medical record number, admission and/or discharge date, status of diagnosis and/or discharge, and in some instances, associated billing amounts. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information, and generally did not include any email, phone number, or mailing address.
What We are Doing
Our Facility began mailing notification letters on May 17, 2023. In addition, email security measures are being reviewed and enhanced in light of the incident, as well as additional training and security reminders for relevant staff. While our Facility is unaware of any actual or attempted misuse of PHI, we are offering impacted patients 12 months of identity surveillance and restoration services at no charge.
More Information
Our Facility is committed to providing quality care, including protecting PHI. Individuals with additional questions may call our dedicated assistance line at 800-984-9630 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays. This line will remain open until August 31, 2023.
South Texas Health System - Edinburg ("our Facility") is providing notice of an incident through which patients’ protected health information (“PHI”) may have been accessed. Letters were mailed on May 17, 2023 to any potentially affected patient who was associated with a mailing address in our systems.
What Happened
On January 18, 2023, our business associate became aware of suspicious email activity in an authorized user’s email account and determined that, on or about January 9, 2023, this user’s email account had been accessed without authorization as a result of a phishing incident. “Phishing” means that the user was tricked into sharing login information which enabled an unauthorized person to access the email account. Our business associate immediately reset the account credentials and launched an investigation into the nature and scope of the incident. The investigation found that the user’s email account was only accessed through a web browser, and while certain emails may have been accessed by the unauthorized person, there is currently no evidence that suggests any PHI in the emails were the target of the attack or otherwise copied or misused in any way. Nevertheless, an extensive effort was made to match patient information in the emails with available mailing addresses in our system, and our Facility is providing notice of the incident to impacted patients in an abundance of caution and so they can take steps to protect their information if they find it appropriate to do so.
What Information Was Involved
The potentially impacted emails contained the patient’s full name, patient account and/or medical record number, admission and/or discharge date, status of diagnosis and/or discharge, and in some instances, associated billing amounts. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information, and generally did not include any email, phone number, or mailing address.
What We are Doing
Our Facility began mailing notification letters on May 17, 2023. In addition, email security measures are being reviewed and enhanced in light of the incident, as well as additional training and security reminders for relevant staff. While our Facility is unaware of any actual or attempted misuse of PHI, we are offering impacted patients 12 months of identity surveillance and restoration services at no charge.
More Information
Our Facility is committed to providing quality care, including protecting PHI. Individuals with additional questions may call our dedicated assistance line at 800-984-9630 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays. This line will remain open until August 31, 2023.
