Who: Rutland Regional Medical Center

# of Records Affected:

When it happened: December 29, 2018

What happened: On December 21, 2018, a Rutland Regional employee identified a high volume of spam emails being sent from their email account.

How it happened: The unauthorized actor may have had access to information related to certain individuals who were treated at Rutland Regional, including the following types of information: name, contact information, Social Security number, financial information, date of birth, medical record number, patient identification number, medical and/or clinical information including diagnosis and treatment information, and health insurance information.

Outcome: Rutland Regional’s IT Department determined the employee’s email account was subject to unauthorized access and immediately changed the employee’s password and locked the account. Rutland confirmed on February 6, 2019, that an unauthorized actor or actors had access to nine (9) employees’ email accounts at certain times between November 2, 2018,​ to February 6, 2019. No Electronic Medical Record systems or other Rutland Regional internal systems were affected. We take this incident very seriously, and we have been working diligently, with the assistance of third-party forensic investigators, to determine the full nature and scope of this incident. We are taking additional actions to strengthen the security of our email systems moving forward. Rutland Regional is also contacting the appropriate regulators regarding this incident.