Penn State Hershey notifies 132 patients or families of potential health information breach

Penn State Milton S. Hershey Medical Center recently mailed letters to approximately 130 patients or family members of patients to inform them that the work computer of a Penn State Hershey physician was recently infected by a virus which may have allowed unauthorized persons to view medical information that was stored in a file on the computer's hard drive. Because the Medical Center could not identify current mailing information for all of the patients whose information was involved, the organization is posting this substitute notice as an alternative method for making patients aware of how they can learn more about whether their information may have been involved in this potential information breach.

On July 11, this physician received what appeared to be an email from a legitimate sender. However, after opening the email he quickly realized it was not and reported it to the Penn State Hershey Information Technology (IT) department. IT took the computer offline, and their review of the problem revealed the virus resulting from the email and its potential to access documents and files. Through a detailed review of individual files and folders stored on the device, Penn State Hershey learned that some health information of 132 patients was included in documents on the computer.

In the physician's administrative role he is occasionally asked to review matters concerning the care of specific patients. He is also provided updates related to patient hospital admissions and procedures performed within his clinical specialty (obstetrics and gynecology) as well as potential patient transfers from other hospitals, which may or may not result in the patient being admitted to the Medical Center. As a treating physician, he also occasionally writes correspondence regarding patients under his care to send to other treating providers or to patients themselves in response to a question related to their treatment. Some documents containing these types of information were stored on the computer when it became affected by the virus.

The Medical Center has no reason to believe the physician's computer was targeted for the purpose of accessing patient information or information pertaining to any specific individual, but the organization is notifying these patients out of an abundance of caution.

Additionally, Penn State Hershey believes the risk of identity theft in this case is extremely small because Social Security numbers and personal financial data for the individuals were not contained in any document or file containing protected health information. Generally, the kinds of information contained in the documents may have included some combination of the following types of information: full name, age, address, diagnoses, medications, test and exam information, medical and surgical history, treatment details and internal medical record number. This medical record number by itself will not enable any unauthorized person to gain access to patient medical records. Access to the computer did not include access to the electronic health records or other electronic systems at Penn State Hershey where patient personal and financial information is maintained.

To decrease the likelihood of similar circumstances occurring in the future, the Medical Center has implemented additional safeguards and controls.

Patients who want to find out whether they should have received a letter pertaining to this incident are asked to call (877) 237-5190 Monday – Friday during the hours of 9:00 a.m.– 7:00 p.m. Eastern Standard Time (closed on U.S. observed holidays).

Please be prepared to provide the following ten-digit reference number when calling: 6583090814.