Park Royal Hospital recently identified and addressed an email phishing incident that resulted in unauthorized access to one employee’s email account and SharePoint account. Upon learning of this incident on January 17, 2025, they immediately took steps to secure the email account and launched an investigation with the assistance of a third-party forensic investigation firm. The investigation confirmed that this incident was limited to the one employee’s email account and SharePoint account, and did not involve Park Royal’s electronic health records systems. This incident did not disrupt Park Royal’s services or operations.
Through their investigation, they determined that an employee mistakenly disclosed their email account credentials in response to a phishing email that they thought was legitimate. As a result, an unauthorized party used the credentials to access the employee’s email account and SharePoint account between January 14, 2025, and January 15, 2025. While in the email account and SharePoint account, the unauthorized party accessed certain emails and files. Park Royal reviewed the emails and files that were accessed and determined that one or more contained information, including patient names and one or more of the following: dates of admission, provider information and status as a patient at Park Royal.
On March 18, 2025, Park Royal began mailing notification letters via United States Postal Service First-Class mail to patients whose information was involved in the incident. To help prevent something like this from happening again, they have implemented additional safeguards and technical security measures to further protect and monitor their systems.