Memorial Health System alerts patients to possible data breach
Incident related to summer cyber attack
MARIETTA — Personal information for more than 200,000 people may have been accessible during a cyber attack on Memorial Health System last year, although officials say there is no indication any identity theft or unauthorized use of the data occurred.
Patients from Memorial whose personal health information, Social Security number, account number or date of birth could have been accessed recently received letters notifying them of the situation. The letter says the recipient’s information was present in systems that were accessed by an “unauthorized actor” around July 10 through Aug. 15.
“While the extensive investigation with the FBI and cybersecurity teams indicates no reason to suspect there has been any fraudulent use or public release of patient information associated with this incident, we are notifying patients whose information MAY have been accessible during the breach,” Jennifer Offenberger, associate vice president, service excellence, for Memorial said via email Thursday. “The health and safety of our patients are essential to who we are, and that includes protecting patients’ confidentiality and security.”
A hotline for patients to call with questions or concerns is available at 855-545-2370 from 9 a.m. to 6:30 p.m. Monday through Friday. Memorial is also offering a free credit monitoring service, with enrollment instructions included with the letters.
Malware was identified in Memorial’s system on Aug. 14, and an investigation was immediately launched, Offenberger said. On Aug. 18, Memorial Health System CEO Scott Cantley announced an agreement had been reached, with the help of the FBI and the system’s insurance carrier, and they would be able to unlock their servers following the ransomware attack.
In mid-September, the letter says, it was determined that an “unauthorized actor may have accessed or acquired information from systems potentially containing patient information.”
By Nov. 1, a review had determined the scope of the information at risk and those potentially impacted, Offenberger said.
“We spent time since then confirming patients, types of information at issue and best contact information,” she said.
A total of 216,470 individuals were identified in the database, Offenberger said.
The review was completed Dec. 9. On Jan. 4, a notice was posted on the Memorial Health System website and letters were mailed to those affected, she said.
Memorial continues to work with law enforcement, including the FBI, to identify and prosecute those responsible for the attack, Offenberger said.
“MHS has strict security measures to protect the information in our possession, and we have worked to add further technical safeguards to our environment,” she said. “Since the attack we have further hardened our Electronic Health Record security to prevent another cyber security event from occurring again, including a heavy emphasis on education.”
Evan Bevins can be reached at firstname.lastname@example.org.