(follow-up) Saint Francis Health System Notifies Customers and Patients after Security Breach

On Feb. 12, following up on a lead from HHS’s breach tool, I learned about a breach at Saint Francis – Broken Arrow Hospital in Oklahoma, which I reported on this blog, here.

Over a month later, the hospital has issued a press release. It says, in part:

Recently, Saint Francis Health System reported security breach at its hospital in Broken Arrow, Oklahoma. The breach was allegedly caused by a theft of a computer system, last used in 2004. The computer contained names, addresses, date of births, billing information, social security numbers, and diagnosis codes pertaining to around 84,000 patients. The stolen computer also contained information such as date of births, social security numbers, salary details and mailing addresses of employees. Ironically, the computer system is reported to be stolen from a secured room. Counter crime agencies are currently investigating the incident. Hospital authorities have initiated an internal enquiry and have also started the process of notifying the affected customers and employees. While the company has not received information regarding misuse of information, offenders having access to the data may abuse them for malicious purposes such as misrepresentation, identity fraud, fake loan applications, extortion and other criminal activities.


Saint Francis has offered one year credit protection to the affected customers and employees. The company has also set up a 12-hour information line for resolving queries. The affected individuals may place a fraud alert on the credit file to ensure additional verification by banks and credit institutions prior to sanctioning of loan. They must also verify their bank and credit card accounts for any unauthorized transactions.

It probably would have been better for the hospital to have issued its release at the same time it posted its statement to patients on its web site. A delay of over a month in issuing a press release when you’ve already notified the government, the breach has already been picked up in your local media, and you’ve put a notice on your web site – well, it just probably would be wiser to get the press release out at the same time instead of winding up in the news cycle twice.


About the author: Dissent

Comments are closed.