Attack Exposes 405,000 Individuals at Texas Health Care Provider
St. Joseph Health System (SJHS), a Bryan, Texas-based not-for-profit health care provider, said on Tuesday that between Dec. 16 and Dec. 18, 2013, the organization experienced a data security attack which exposed patient and employee data stored on server.
According to the provider of health services, attacker(s) hacked into a server and accessed patient and employee data files from St. Joseph Regional Health Center, Burleson St. Joseph Health Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center.
The data accessible to attackers included a combination of names, social security numbers, dates of birth, and possibly addresses, the organization said. For the affected patients, medical information was also accessible, and for some employees, bank account information was exposed.
The attackers appeared to be operating from IP addresses in “China and elsewhere”, the organization said.
“As soon as the incident was discovered, SJHS took the affected server offline and launched a thorough forensics investigation with national security and computer forensics experts,” a statement explained. “The investigation, which is ongoing, confirmed that approximately 405,000 former and current patients', employees' and some employees' beneficiaries' information was accessible to the unauthorized parties.”
“While it is possible that some information was taken, the forensics investigation has been unable to confirm this,” the statement continued. “SJHS does not believe any of our former/current patients', employees' or their beneficiaries' information is at further risk because of this incident.”
Affected individuals whose information was accessible are receiving notification letters by mail in the coming days providing them information on this incident.
For individuals who may have been affected by the incident, SJHS said it would provide a confidential call center to handle questions related to the breach, along with free identity protection services for one year for affected patients and employees.