Yesterday Sacred Heart Health System announced that hackers had gained access to the confidential data on approximately 14,000 patient by gaining access to the computer system of a third-party billing vendor.
According to the press release, hackers were able to use a deceptive technique known as a phishing attack to gain access to the e-mail account of an employee of the billing vendor. The attack resulted in certain patient health information being compromised which included patient names, date of service, date of birth, diagnosis and procedure, total charges and physician name. Approximately 40 individuals’ social security numbers were also compromised. However, the hackers did not gain access to patients’ medical records.
Upon receiving notice of the incident on Feb. 2, Sacred Heart, in cooperation with the billing vendor, immediately launched a thorough investigation into the matter.
“We value the privacy and security of patient information, and regret this unfortunate incident,” said Genevieve Harper, Privacy Officer for Sacred Heart Health System.” “It is our priority to support those who have been affected.”
“We are taking the necessary and appropriate steps to prevent this type of incident from occurring in the future.” Harper said. “Specifically, we are working with our billing vendor to ensure they are continually evaluating and modifying their practices to enhance the security and privacy of all confidential and/or sensitive information in their possession.â€
Inweekly asked Mike Burke, Sacred Heart’s public relations director, why it took six weeks after the notification of the hack to contact the patients. He said that it took that amount of time to determine the extent of the security breach.
“Due to the nature of the incident, our billing vendor conducted an investigation of the incident which involved a manual and electronic review of the affected e-mail account,” wrote Burke in an email. “Once Sacred Heart became aware of the incident, we engaged computer forensics experts to help determine the scope of the breach and accurately identify all affected individuals. We notified the affected patients as soon as we knew we had accurate information. Due to the potential exposure, we sent letters on Friday to the approximately 14,000 patients whose billing information was compromised by the phishing scam.”
Affected individuals may call 1-877-244-8984, Monday through Friday, 8 a.m. to 6 p.m. CST with questions.