Tulsa, Oklahoma-based Saint Francis Health System has experienced a cyberattack that has resulted in the theft of patient data. The incident does not impact all Saint Francis patients, only certain patients that have previously received medical services at the Warren Clinic – a network of 70 clinics in Tulsa and eastern Oklahoma.
The cyberattack was not detected at the time. Instead, Saint Francis Health System was informed that an attack had occurred by the individuals responsible for the breach. On September 7, 2016, Saint Francis Health System received an email advising of a cyberattack on an external server. The healthcare organization was told that patient data had been exfiltrated and was being held by the attackers.
The attackers demanded a payment be made using an anonymous cybercurrency. If payment was received, the stolen data would be returned. The data were taken from a database with a clinical title, although relatively little patient information was obtained by the attackers. Saint Francis Health System believes the Warren Clinic data breach was limited to patients’ names and addresses. No highly sensitive data appears to have been stolen.
The security breach was reported to law enforcement which advised Saint Francis Health System not to pay the ransom. That advice was taken and no payment was made. Had payment been made, there would have been no guarantee that the data would have been returned, nor that the information would not have been sold or used for fraudulent purposes.
Patients affected by the security breach were notified by mail in September and a substitute breach notice was published on the Saint Francis Health System website. The Department of Health and Human Services Office for Civil Rights was notified of the data breach on October 7, 2016. The breach report indicates 2,938 patients were impacted.
Even though the data stolen in the attack was limited, out of an abundance of caution patients have been offered complimentary credit monitoring and identity theft protection services for a period of one year without charge.