Notice to Our Patients Regarding an Email Phishing Incident at Thomas Jefferson University Hospital & Jefferson University Physicians
October 16, 2017
PHILADELPHIA – Thomas Jefferson University Hospital and Jefferson University Physicians take seriously the privacy and security of our patients’ information. Regrettably, this notice concerns an incident involving some of that information.
On August 17, 2017, we learned that on the same day several Jefferson employees responded to a “phishing” email – in other words, an email sent by a party outside Jefferson posing as a trustworthy party in order to trick the receiver of the email into sharing personal information, such as an email account password and email contacts. Using the employees’ credentials, the unauthorized person then sent spam (or junk) emails to the employees’ contacts from those accounts within minutes.
Upon learning of the incident, Jefferson immediately disabled the affected email accounts, changed the account passwords, and began an investigation, including engaging a leading forensic firm. Although we do not believe that the unauthorized person had an interest in the contents of the emails, our investigation could not rule out the potential that the emails were viewed by an unauthorized person. The information contained in the emails was related to care provided at Jefferson, and may have included information such as patients’ names, dates of birth, medical record numbers, dates of service, providers’ names, diagnoses or treatment information, laboratory studies, and medications. No patient Social Security numbers or financial information was included with the information in the affected accounts. This incident affected only a limited number of Jefferson patients (fewer than 350 patients).
At this time, we have no indication that the information in the emails was used in any way by the unauthorized person. However, out of an abundance of caution, we began mailing letters to affected patients on October 16, 2017, and established a dedicated call center to answer any questions patients may have. If you believe you may be affected and have not received a letter by November 3, 2017, or if you have any questions regarding this incident, please call 1-877-919-6943, Monday through Friday between 9 a.m. and 5 p.m. Eastern Time.
We sincerely regret that this incident occurred and apologize for any inconvenience or concern this may cause you. Although Jefferson has privacy and security policies and procedures in place, to help prevent something like this from happening in the future, we have provided our employees with additional training and education regarding phishing emails. In addition, we have added email security features that will help our employees identify potential threats.