In January 2020, Doctors Community Medical Center (DCMC) noticed suspicious activity within its payroll system. Upon investigation, hospital officials determined that a small number of employees had fallen victim to a phishing attack. By obtaining employees’ credentials in the phishing attack, the unauthorized third party was able to access employees’ payroll information and their email accounts.
The investigation determined on or around Feb. 13, 2020, that certain DCMC employee accounts were accessed by an unknown actor for various periods of time between Nov. 6, 2019 and Jan. 30, 2020. As part of the investigation, officials determined that some of the email accounts contained data sheets with patient demographic information.
While not the same for all impacted patients, the patient information contained in the emails included: name, address, date of birth, Social Security Number, driver’s license, military identification number, financial account information, treatment information/diagnosis, prescription information, provider name, medical record number/patient ID, Medicare/Medicaid number, health insurance information, treatment cost information, and access credentials.
“Upon learning of the potential exposure of personal information, DCMC immediately launched an investigation to determine the nature and scope of this event,” said Dave Lehr, chief information officer. “This included working with computer forensic investigators to determine the exact information impacted and identities of the individuals contained in the email accounts. We do not have any evidence that the particular emails with patient information were accessed, copied or re-disclosed. However, out of an abundance of caution, DCMC is providing written notice to all patients impacted by this incident.”
DCMC has notified federal law enforcement and is continuing to notify those who may be affected by this event as the investigation continues. It has established a dedicated assistance line for those seeking additional information regarding this incident: 833-943-1369.
DCMC is owned by Luminis Health, which also owns Anne Arundel Medical Center in Annapolis as well as centers of care in Bowie, Crofton and Laurel, among other suburban locations.