TX: St. Joseph Health System Confirms Hacking Incident Affecting 405,000 Patients, Employees, and Beneficiaries (updated)

Bryan, Texas – February 4, 2014 – St. Joseph Health System (SJHS), a not-for-profit integrated Catholic health care delivery system, confirmed that between Monday, December 16 and Wednesday, December 18, 2013, the organization experienced a data security attack in which certain parties gained unauthorized access to a single server containing patient and employee files on its computer system.

The unauthorized parties, operating from IP addresses in China and elsewhere, accessed a server storing patient and employee data for St. Joseph Regional Health Center, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center.

The safety and security of our patients’ and employees’ personal information is very important to SJHS, and we regret any inconvenience or concern that this matter may have caused.

As soon as the incident was discovered, SJHS took the affected server offline and launched a thorough forensics investigation with national security and computer forensics experts.

The investigation, which is ongoing, confirmed that approximately 405,000 former and current patients’, employees’ and some employees’ beneficiaries’ information was accessible to the unauthorized parties.

While it is possible that some information was taken, the forensics investigation has been unable to confirm this. SJHS does not believe any of our former/current patients’, employees’ or their beneficiaries’ information is at further risk because of this incident.

The data that was accessible included a combination of affected individuals’ names, social security numbers, dates of birth, and possibly addresses.

For the affected patients, medical information was also accessible. For some of the affected employees, bank account information was also accessible.

Affected individuals whose information was accessible are receiving notification letters by mail in the coming days providing them information on this incident.

SJHS is dedicated to the privacy and safety of patient and employee information and deeply regrets any potential impact this incident could have.

Consistent with our values, we are diligently pursuing all avenues to protect the interests of the individuals we serve.

To further serve the individuals who may have been affected by this incident, St. Joseph will provide:

A confidential call center operating from 8:00 a.m. to 8:00 p.m. CST, Monday-Saturday. This call center will handle questions on this incident and identity protection, and can be reached at (855) 731-6011

Free identity protection services for one year to affected patients and employees.

The opportunity to enroll for free in triple-bureau credit monitoring to affected patients and employees.

To guard against something like this from happening again, St. Joseph is taking appropriate additional security measures to strengthen the security of its system.

SJHS encourages its current and former employees and patients to protect against possible identity theft or other financial loss by reviewing account statements and explanations of benefits statements for any unusual activity, notifying credit card companies of this notice, and monitoring credit reports.

Under U.S. law, everyone is entitled to one free credit report annually from each of the three major credit bureaus. To order a free credit report, visit www.annualcreditreport.com or call toll-free (877) 322-8228.

At no charge, individuals can also have these credit bureaus place a “fraud alert” on their files that alerts creditors to take additional steps to verify identity prior to granting credit.

Should an individual wish to place a fraud alert, or have questions regarding his/her credit report, please contact any one of the following agencies:

Equifax, P.O. Box 740241,
Atlanta, GA 30374, 800-685-1111, www.equifax.com;

Experian, P.O. Box 2104, Allen, TX 75013, 888-397-3742, www.experian.com;

TransUnion, P.O. Box 2000, Chester, PA 19022, 800-888-4213,

The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. To do so, or to identify steps one can take to avoid identity theft, the Federal Trade Commission can be reached at 600 Pennsylvania Avenue NW, Washington, D.C., 20580, or at www.ftc.gov/bcp/edu/microsites/idtheft/ or 1-877-IDTHEFT
(1-877-438-4338); TTY: 1-866-653-4261.

About St. Joseph Health System
As the longstanding leader in health care services across the Brazos Valley, St. Joseph Health System is based in Bryan, Texas, and serves as a Ministry of Sylvania Franciscan Health. St. Joseph Health System is a faith-based, not-for-profit health system established by the Sisters of St. Francis of Sylvania, Ohio in 1936 and has facilities in eight Brazos Valley counties (Austin, Brazos, Burleson, Grimes, Lee, Leon, Madison, Robertson and Washington) serving more than 325,000 residents.

The system has five hospitals, two long term care centers, more than a dozen physician clinic locations, a charitable foundation and has a designated Accountable Care Organization. St. Joseph has 2,600 Team Members serving in 20 locations across the Brazos Valley and is nationally recognized for its neurosciences and orthopedics programs. Its anchor facility, St. Joseph Regional Health Center in Bryan, is designated as a Level II Trauma Center, accredited as the highest level of Chest Pain Center in the Brazos Valley, and has received designation as a Primary Stroke Center.

SOURCE: St. Joseph Health System

A statement on the system’s website says:

As part of our ongoing commitment to the privacy of our patients and their families, St. Joseph Health System (“SJHS”) based in Bryan, Texas, is informing individuals of an incident that may affect their personal information.  After you read this notice, if you have any questions please call the confidential call center by dialing, toll-free, (855) 731-6011, Monday through Saturday, 8:00 AM to 8:00 PM U.S. Central Time.  Si Usted prefiere hablar con alguien en Español sobre este asunto, por favor comuniquese con el centro confidencial de suporte al cliente, por llamada a (855) 731-6011.

Between Monday, December 16 and Wednesday, December 18, 2013, SJHS experienced a security attack in which hackers gained unauthorized access to one server on its computer system.  SJHS acted quickly, shutting down access to the involved computer on December 18, and hiring national security and computer forensics experts to thoroughly investigate this matter.  Our investigation, which is ongoing, determined that this security attack may have resulted in unauthorized access to records for some SJHS patients, employees, and some employees’ beneficiaries.  These records included names, social security numbers, dates of birth, and possibly addresses.  For the affected patients, medical information was also accessible.  For some of the affected employees, bank account information was also accessible.

We are sorry for any trouble or concern that this may have caused our patients, employees and their families.  While it is possible that some information was accessed or taken, the forensics investigation has been unable to confirm this, which is why we are providing this notice.  The computer was shut down when we discovered the security attack on December 18, 2013, so we believe the potential risk to individuals’ information ended on that date.  SJHS is working with the United States Federal Bureau of Investigation, which is also looking into this incident.  SJHS is providing written notice of this incident to affected individuals, to the U.S. Department of Health and Human Services, as well as to certain state and international regulators.

It is important to note that SJHS has received no reports that any of the personal information involved has been misused.  We take this matter, and the security of our patients’, employees’, and employee beneficiaries’ personal information, very seriously.  As a precaution, SJHS wants to assist individuals affected by this incident in protecting their identity, even though we are not aware of any misuse of the information, and we have been unable to determine whether any data was in fact taken.  SJHS is offering affected individuals with access to one free year of identity protection services provided by AllClear.  These identity protection services start on the date of this notice and can be used any time over the next 12 months.

To further protect individuals from identity theft or financial loss, we encourage patients, employees, and their families to remain vigilant, to review their account statements, and to monitor their credit reports and explanation of benefits forms for suspicious activity.  Individuals can also check their credit by obtaining a free credit report.  Under U.S. law, individuals are entitled to one free credit report every year from each of the three major credit bureaus.  To order a free credit report, individuals should visitwww.annualcreditreport.com or call, toll-free, 1-877-322-8228.  Individuals may also write, call, or email the three major credit bureaus directly to ask for a free copy of their credit report.  Additional information regarding how to contact the credit bureaus and how individuals may protect their identity is included below.

SJHS established a confidential inquiry line, staffed with professionals trained in identity and credit protection and restoration, and familiar with this incident.  If individuals have any questions about this incident or this notice, or if individuals believe they may be victims of identity theft they should contact the call center.

Please know that we are taking steps that will prevent this from happening again in the future. We encourage affected individuals to take advantage of the free identity and credit protection services described above.  SJHS remains committed to the security of personal information.


Denise Goffney, Corporate Compliance Officer and Privacy Officer
St. Joseph Health System

Update: Copies of the notification letters to adult patients and minor patients, via the California Attorney General’s website.

About the author: Dissent

Comments are closed.