Hospital Boosts Security, Issues Notifications After Breach

Cheyenne Regional Medical Center has added security measures and is informing people whose personal information was exposed due to a data breach earlier this year, hospital officials said.

The breach was discovered in April but is being publicly disclosed now to inform the community out of “an abundance of caution,” said Jacqueline Van Cleave, the hospital’s director of compliance and privacy.

Van Cleave told The Wyoming Tribune Eagle that a hacker accessed a “limited number” of employee email accounts that contained as many as 16,000 patients’ personal information, including dates of birth and Social Security numbers. The number of patients whose information was exposed is being checked, she said.

It appears that the hacker appeared to be interested in payroll information, and there is no evidence that the exposed patient information has been misused, she said.

The hospital’s review concluded in November, and officials plan to send notification letters to people whose information was in the compromised emails. The hospital is offering them free credit monitoring.

CRMC policies and procedures say that patient information must be securely stored in the hospital’s electronic health records system. But some information can be exchanged via email among staff for administrative purposes.

Since the breach, CRMC has implemented further security measures surrounding internal network applications and is continually reviewing its security process, officials said.