Cheyenne Regional Medical Center in Wyoming has recently became aware that patient data may have been illegally obtained due to a phishing attack identified in April.
The medical center was made aware of a potential security breach following the detection of suspicious activity related to staff payroll accounts on or around April 5, 2019. Around a week later, the medical center discovered that employee email accounts had been impacted.
The investigation revealed the hackers had obtained access to employee email accounts between March 27, 2019 and April 8, 2019. The focus of the attack appears to have been to access staff payroll information, although patient information contained in email accounts may also have been obtained.
The range of information potentially accessed varied from patient to patient and may have incorporated names, dates of birth, Social Security numbers, driver’s license numbers, dates of service, provider names, medical history numbers, patient identification numbers, medical data, diagnoses, treatment information, and health insurance information. A very small portion of patients also had financial data or credit card numbers exposed.
The forensic investigation revealed, on August 21, 2019, that patient information was potentially accessed by the cybercriminals, although at that stage of the investigation the full range of the attack was not known. It took until November 1, 2019 before the medical center gathered a full list of impacted patients.
There was an additional delay sending notifications as up to date contact information was not held on a large number of patients. Finding that information took some time.
The medical center explained that the majority of patient information is stored in its electronic medical record system, but data is safely exchanged between staff members via email for administrative purposes and for consultations.
Impacted patients have now been alerted via mail and have been offered free credit monitoring and identity theft protection services through Kroll.
Cheyenne Regional Medical Center should be praised for its thorough explanation of the breach and investigation, and the reason for the eight-month delay sending alerts. All patients want to be made aware of any exposure of their personal and health information quickly but will be unaware of the work involved in a breach review and how long it can take to find the information necessary to issue alerts. Such an in-depth explanation will help patients to come to terms with why it has taken so long to learn about the breach.