Crenshaw Community Hospital Data Breach Exposes Protected Health Information

On June 16, 2023, Crenshaw Community Hospital, a community healthcare provider in Luverne, Alabama, discovered a data breach affecting its systems.

According to the hospital’s official data breach notice, the compromised information included personally identifiable information (PII) and protected health information (PHI) including names, addresses, dates of birth, Social Security numbers, medical record numbers, health insurance information, diagnosis and treatment information, and other clinical data.

The breach was the result of unauthorized access to the hospital’s computer systems. While the notice did not specify whether the breach was due to malware, phishing, or another cyberattack method, the fact that both PII and PHI were exposed signals a significant security failure. The responsible party for the breach remains unidentified, and there is no information indicating whether any data has been misused at this time.

Crenshaw Community Hospital's response

Upon discovering the breach, Crenshaw Community Hospital immediately launched an investigation and took steps to secure its systems. The hospital engaged cybersecurity professionals to determine the scope of the breach and to prevent further unauthorized access. They also notified law enforcement and relevant regulatory authorities as required by law.

Individuals whose information may have been affected were notified in accordance with applicable regulations.

Given the nature of the exposed information, those affected are encouraged to take several precautionary steps:

• Monitor financial accounts and credit reports for any suspicious activity
• Consider placing a fraud alert or credit freeze with the major credit bureaus
• Review health insurance statements for unauthorized claims or services
• Remain vigilant for phishing attempts or suspicious communications referencing the hospital or healthcare services

Crenshaw Community Hospital has provided resources and guidance for affected individuals, including instructions on how to protect personal and medical information. Those with questions or concerns can contact the hospital directly using the information provided in the official notice.