Curry Health Network notifies members of FastHealth breach

Last month, this site noted a FastHealth breach from 2017 that was first being disclosed.  FastHealth had reported it to HHS as impacting 1,345 patients. Now Curry Health Network is notifying its members, and it’s not totally clear if these members were included in the number that had been previously reported to HHS.  DataBreaches.net emailed FastHealth to see if they would clarify the numbers for this breach, but has received no response as yet. This post will be updated if a response is received. In the meantime, here is Curry Health Network’s notification:

(March 26, 2018) – Some community member may have received, or may be receiving, a letter from FastHealth Interactive Healthcare notifying them of a security incident. Curry Health Network has received inquiries from staff and community members regarding the legitimacy of the letter, and would like to share the following information:

FastHealth is a company with whom Curry Health Network (CHN) contracts to provide the hosting and programming for its web site. They provide these services to many hundreds of hospitals and other healthcare organizations. FastHealth stores the files which comprise the content and data submitted in forms on the CHN web site, on their servers in Alabama.

FastHealth determined, through a lengthy investigation, that an unauthorized third-party accessed their web server, and may have been able to acquire information from certain databases.

The database in question contained information submitted on the CHN employment application form, from which, again, information may or may not have been accessed. The information did not include Health Information protected by HIPAA, medical records, patient portal data, online bill pay information, or any other forms on the web site or linked to/from the web site.

FastHealth is required to notify persons who may have been affected by this unauthorized access to their server, and is in the process of sending letters to those whose information had the potential to be accessed.

FastHealth is offering one year’s identity monitoring services to all persons who receive the letter. This service includes credit monitoring, fraud consultation, and identity theft restoration.

To be clear – this incident is a FastHealth security issue; it is not a Curry Health Network security issue and does not reflect on the security of the CHN data systems. Additionally, the security of the web site does not fall under the purview of the Curry Health Network IT department, but rather to the vendor.

If you have received a letter, or receive a letter in the future, and have questions, comments or concerns, please contact the call center number included in the letter (1-833-215-3730).

About the author: Dissent