Carlos Gieseken reports:
The billing information of 14,000 Sacred Heart Health System patients was compromised recently when an employee email account of the healthcare provider’s third-party billing vendor was hacked.
No medical records were breached, but hackers gained access to patient names, dates of service, dates of birth, diagnoses and procedures, total charges and physician names. The social security numbers of 40 patients were also exposed.
Read more on Pensacola News Journal.
The following notice was posted on SHHS’s web site today, linked from their home page:
Notice — Breach of patient billing information
Sacred Heart Health System, Inc.
The privacy and security of patient information is of utmost importance to Sacred Heart Health System, Inc. and we have implemented significant security measures to protect such information. Regrettably, despite Sacred Heart’s efforts to safeguard patient information, a hacking attack has affected Sacred Heart patients.
On February 2, 2015, we were notified by one of our third-party billing vendors that one of its employee’s e-mail user name and password had been compromised as a result of an e-mail hacking attack. The hacking attack was detected by our billing vendor on December 3, 2014 and the employee’s user name and password were shut down the same day. Upon notice of the incident, Sacred Heart, in cooperation with our billing vendor, immediately launched a thorough investigation into the matter. Sacred Heart engaged computer forensics experts who were able to conduct an analysis of what information was included in the affected e-mail account. After careful review, we were able to determine that the billing vendor’s employee e-mail account contained personal information for approximately 14,000 individuals.
The personal health information in the e-mail account included patient names, date of service, date of birth, diagnosis and procedure, billing account numbers, total charges, and physician name. Approximately 40 individuals’, social security numbers were also compromised. The hackers did not gain access to individual medical records or billing records.
Please be assured that Sacred Heart is taking steps to mitigate this incident by notifying affected individuals via letter, posting this substitute notice, and providing notice to prominent media outlets in the area. Identity monitoring and protection services are being offered free of charge for those whose social security number has been affected by the incident. Additionally, we are working with our e-mail service provider to evaluate ways to enhance our already robust security program. We will also provide additional education to employees regarding e-mail hacking attacks.
In addition to the steps Sacred Heart has taken, affected individuals may wish to obtain a free credit report from each of the credit reporting bureaus — Equifax, Experian and TransUnion. The credit bureaus’ information is below:
Equifax 800-525-6285 www.equifax.com Experian 888-397-3742 www.experian.com TransUnion 800-680-7289 www.transunion.com
Sacred Heart sincerely apologizes for any inconvenience this unfortunate incident may cause and assures all of its patients that Sacred Heart is taking appropriate measures to avoid an incident of this nature happening in the future. Should you have any questions regarding this matter, please contact us at the following toll-free number: 1-877-244-8984 Monday through Friday, 8 a.m. to 6 p.m. CST with questions.
Why did it take the unnamed vendor two months to alert Sacred Heart to the compromise after their employee fell for a phishing scheme?