(Eagle (Bryan, TX) Via Acquire Media NewsEdge) Feb. 15--There are so far no verified cases of fraud stemming from a massive security breach of the St. Joseph Health System.
More than 405,000 patient and employee records stored on a system server were hacked Dec. 16 and discovered by St. Joseph information technology employees two days later. The majority of the hacked data was patient records, which includes names, medical information, Social Security numbers and dates of birth.
Tim Ottinger, a vice president for the regional health system, said forensic investigators traced the hacker's IP address to China. That investigation was being handled by the FBI. The hack is one of the largest health care data breaches reported, a fact first reported by Information Week. According to U.S. Department of Health and Human Services data, the St. Joseph breach is the third largest reported. The two larger breaches happened to government health departments, as opposed to a hospital system. In 2008, a breach of the Puerto Rico Department of Health impacted 475,000 people, and a 2012 hack of the Utah Department of Health affected 780,000.
News of the breach was first reported Feb. 4., and this week patients and employees whose information was compromised started to receive letters in the mail. Each was automatically signed up for a year's worth of identity protection.
The form letter states, "We take this matter, and the security of your personal information, very seriously. As a precaution, SJHS wants to assist you in protecting your identity even though we are not aware of any misuse of your information and we have been unable to determine whether any data was in fact taken."
Ottinger said the health system has sent out nearly 400,000 letters and that the last "few thousand" will go out next week. He said a call center for affected patients and employees will run until it is no longer needed. The call center is for patients or employees who want to find out if their information was affected or who want to inquire about identity protection. The center is open 8 a.m. to 8 p.m. Monday through Saturday and can be reached at 855-731-6011.
Ottinger said the center has received about 5,000 calls and that the topics have varied. He said the call center workers make follow-up calls if needed, but that about 99 percent of the callers have had their issues resolved on the first try.
"The vast majority get their questions answered or get enrolled in the program," Ottinger said. "People have been patient, which we very much appreciate. We understand the concern this generates and the inconvenience it is. ... To be on the safe side, we would encourage they call the center and take advantage of every protection they can get."
There isn't a lot of new information to report from the FBI, he said.
"Every day, we have a follow-up call and as of yesterday, we have not had a verified identity theft," Ottinger said. "We haven't heard any more from the forensic team. They're fairly well completed; again, the case has been turned over to the FBI, and there are no updates as of yesterday that I've heard or anything new that would shed more light."
The hospital system implemented an additional 10 security measures following the attack, but Ottinger declined to discuss the modifications. He said he didn't want to provide potential hackers with any information about the new security measures.
"We continue to look at those [security measures] on a regular basis, and that will be ongoing," Ottinger said. "I do appreciate people's patience. For the size and number of people affected, people have been very patient and supportive and we appreciate that."
(c)2014 The Eagle (Bryan, Texas)
Visit The Eagle (Bryan, Texas) at www.theeagle.com
Distributed by MCT Information Services