Franciscan Health System notifies more than 12,000 patients after employees fall for phishing scheme (updated)

John Gillie reports:

Tacoma’s Franciscan Health System is notifying some 8,300 patients that their personal information — including in some cases medical records and Social Security numbers — may have been shared with computer scammers who accessed staff email accounts.

Franciscan estimates more than 12,000 patients nationwide had files potentially breached.

Franciscan’s total of 8,300 patients potentially affected in the South Sound was the largest in the Catholic Health Initiatives network. CHI is the parent company of Franciscan.

The employees, most of them employed by Franciscan Medical Group, responded to late January phishing emails that appeared to be coming from CHI. Those messages, composed by computer hackers, not by CHI, asked Franciscan employees to go to another site where they were to enter their email user names and passwords.

Read more on the News Tribune.

The Franciscan Health System posted this notice on their website March 28:

Franciscan Medical Group (FMG) is committed to protecting the security and confidentiality of our patients’ personal information. Regrettably, this notice is about an incident involving some of that information.

On January 27, 2014, we learned that “phishing” emails were sent to a small group of FMG employees who responded to the emails thinking they were legitimate requests from our parent company Catholic Health Initiatives. When we learned of this, we immediately secured the affected email accounts and began an investigation, including hiring an outside expert forensics firm. We undertook a comprehensive review of the affected employees’ e-mail accounts and confirmed that the emails contained patient information and may have included patient demographic information (for example, name, address, date of birth, telephone number), clinical information (for example, treating physician and/or department, diagnosis, treatment received, medical record number, medical service code, health insurance information), and in a small number of instances Social Security numbers.

We have no evidence that the information in the emails has been used in any way, however, as a precaution, we began sending letters to affected patients on March 28, 2014 and have established a dedicated call center to answer any questions our patients have. If you believe you are affected but do not receive a letter by April 16, 2014, please call 1-877-283-6556, Monday through Friday between 6:00 a.m. and 6:00 p.m. Pacific Time.

We regret any inconvenience this may have caused our patients. To help prevent something like this from happening in the future, we have re-enforced education with our staff regarding “phishing” emails and are reviewing enhancements for strengthening user login authentication.

This is not the first time the health system or its employees have been caught up in a breach. In January 2011, this blog reported that Franciscan Medical Group in Washington reported that 1,250 patients had PHI on a computer stolen on or about November 18.

Update: The 12,000 number includes 3,500 patients of KentuckyOne, who have also posted a statement on their website:

KentuckyOne Health is committed to protecting the security and confidentiality of our patients’ personal information. Regrettably, this notice is about an incident involving some of that information.

On January 27, 2014, we learned that “phishing” emails were sent to a small group of KentuckyOne Health employees who responded to the emails thinking they were legitimate requests. When we learned of this, we immediately secured the affected email accounts and began an investigation, including hiring an outside forensics expert firm. We undertook a comprehensive review of the affected employees’ e-mail accounts, which concluded on March 24, 2014. This investigation confirmed that the emails contained patient information from Jewish Hospital, Frazier Rehab Institute, Saint Joseph Berea and Flaget Memorial Hospital, and may have included patient demographic information (for example, name, address, date of birth, telephone number) and clinical information (for example, treating physician and/or department, diagnosis, treatment received, medical record number, medical service code, health insurance information).

We have no evidence that the information in the emails has been used in any way, however, as a precaution, we began sending letters to affected patients on March 28, 2014 and have established a dedicated call center to answer any questions our patients have. If you believe you are affected but do not receive a letter by April 16, 2014, please call 1-877-283-6556, Monday through Friday between 9:00 a.m. and 96:00 p.m. Eastern Time.

We regret any inconvenience this may have caused our patients. To help prevent something like this from happening in the future, we have re-enforced education with our staff regarding “phishing” emails and are reviewing enhancements for strengthening user login authentication.

idRADAR.com has some additional quotes from spokespeople about the breach.

About the author: Dissent

Comments are closed.