A statement prominently linked from the hospital’s homepage explains that after identifying the virus in January, they brought in a forensic team who
was able to learn that the virus had captured screen shots of Internet web pages and stored these images in an encrypted, hidden folder on the Valley View Hospital system. This folder could have been accessed by an outside entity. Upon this discovery on January 23, 2014, the hospital immediately shut down incoming and outgoing Internet traffic to quarantine all information. Steps were taken to remove the virus from the system.
On January 25, 2014, the firm reported the detailed contents of the encrypted, hidden folder. The information in each folder varied for each affected individual but included individual names and in some cases addresses, date of birth, telephone numbers, social security numbers, credit card information, admission date, discharge date and patient visit numbers. No medical information was included. The hospital has been unable to confirm whether any data was improperly accessed by or transmitted to an outside entity.
Notification letters will be going out to affected patients on March 17 and patients will be informed about free identity and credit protection services.
The hospital has already launched an upgrade to its information technology and security.