St. Louis-based hospital system Ascension revealed Friday that the ransomware attack it experienced in May exposed the personal information of 5.6 million individuals, according to a new filing with Maine’s attorney general.
While its electronic health records were not compromised, a host of other personal information about current and former Ascension patients, senior living residents and employees was exposed, including bank account numbers, Social Security numbers and birthdays.
Through its investigation, Ascension discovered that on May 7 and 8, a cybercriminal obtained a copy of certain files containing personal information of Ascension patients and employees, according to a letter (PDF) sent to Maine’s attorney general.
Some health information like dates of service, lab tests ordered and procedure codes billed to insurance were exposed for some individuals, the health system said.
Other information that Ascension knows to have been stolen includes credit card information, insurance information, tax IDs, driver’s license numbers, passport numbers and addresses. Ascension does not know which data were stolen from which individuals.
Third-party experts have helped Ascension identify the impacted individuals. The system said in a statement that it began notifying the affected patients on Dec. 19. The letters will be sent within the next two to three weeks.
In a media statement, Ascension said it will provide affected individuals with credit card monitoring services and identity protection services for two years.
This is the first update about the attack on the system’s website since June, when Ascension released a media statement that identified that some of their servers containing personally identifiable health information had been compromised. The system rolled out a free complimentary credit monitoring and identity theft protection services to any Ascension patient or associate who wanted to receive the complimentary safeguard from the health system.
The system identified that an employee had unknowingly downloaded a malicious file, and it did not suspect malicious intent.
The Ascension system worked quickly to restore electronic health record function and its pharmacy business, Ascension Rx. Ascension notified the public that it was working to restore these functions by June 14, but the system provided no update on the EHRs beyond June 11, when it said most of the EHRs were back online.
The system has restored all systems impacted by the attack, it said in a Dec. 19 update.
“We are incredibly thankful for the continued support from our patients and the communities we serve,” a spokesperson for Ascension said. “To our dedicated clinicians, thank you for your tireless efforts and commitment to both our patients and our organization. The resilience and dedication shown by all our associates have been truly remarkable, and their embodiment of our Mission throughout this time has not gone unnoticed. We extend our heartfelt thanks to everyone for the contributions and positive impact you bring to our organization each and every day.”
Publisher: Source link
