More than 500 patient medical records and other sensitive information were exposed in potential data breaches at Summa Health in August and March.

Summa Health announced Friday that it was sending letters to patients who were potentially affected by what the Akron-based health system called an “email phishing incident” that targeted Summa employees.

Email phishing is a term that describes when a person clicks on an email that looks legitimate and asks the person to input sensitive information. The email phishing could be the way a data breach occurs.

Summa said after its investigation, experts were unable to determine whether information such as medical records, treatment information, dates of birth and for a small subset of patients, Social Security and driver’s license numbers, contained in employee emails were viewed by the unauthorized people.

Summa said it was mailing letters to affected patients starting Friday, establishing a dedicated call center and offering free credit monitoring and protection services. It could take several weeks for the letters to arrive, spokesman Jim Gosky said.

Gosky said the number of affected patients is more than 500.

Summa learned May 1 that “an unauthorized person gained access to a limited number of employee email accounts that contained patient information,” according to a news release from the health system. Two accounts were accessed in August and two other accounts were accessed between March 11 and March 29.

Summa said it made sure the accounts were secured and began an investigation, including hiring a computer forensic firm. “The investigation was unable to determine whether the unauthorized individual actually viewed any email or attachment in the accounts,” Summa said.

Officials said “out of an abundance of caution, Summa Health thoroughly reviewed every email and attachment in the accounts to identify patients whose information may have been accessible to the unauthorized person. Patient information was identified in the accounts, including patient names, dates of birth, medical record or patient account numbers, and clinical and/or treatment information. For a small subset of patients, health insurance information, Social Security numbers, and/or driver’s license numbers were also found in the accounts.”

Summa said it was recommending patients review the statements they receive from their health care providers and health insurers. If there are unrecognizable services, contact the provider or insurer immediately. For eligible patients whose Social Security number or driver’s license number was found in the email accounts, Summa Health is offering complimentary credit monitoring and identity protection services. The details will be in the letter.

“Summa Health remains committed to protecting the confidentiality and security of its patients’ information. To help prevent something like this from happening in the future, Summa Health is reinforcing employee training on privacy and security and is instituting additional security measures throughout the health system,” the health system said.

Article Credit: Beacon Journal/