Health records of up to 405,000 past and current patients at St. Joseph Health System may have been exposed in a security incident, the Texas-based hospital said February 5.
St. Joseph Health System has already called security forensic experts and the Federal Bureau of Investigation, but the investigation is still in the early stages.
Initial findings suggest the attackers had access to names, Social Security numbers, dates of birth, and addresses for both patients and employees at the hospital. The attackers also had access to some patient medical records and employee financial information, St. Joseph Health System said.
“While it is possible that some information was accessed or taken, the forensics investigation has been unable to confirm this,” Denise Goffney, corporate communications officer and privacy officer at St. Joseph Health System, wrote on the hospital website.
The investigation has not yet determined whether “any data was in fact taken,” nor have there been any reports that any of the personal data had been used in fraud, Goffney said. Even so, the hospital “wants to assist individuals affected by this incident in protecting their identity,” and has offered one year of free credit and identity protection services with AllClear.
With a little over 400,000 patients affected, the breach at St. Joseph Health System would be considered large, but not the largest healthcare data breach ever reported. That dubious distinction goes to Utah Department of Health for its 2012 breach which involved 780,000 records, and the Puerto Rico Department of Health for its 2008 incident involving 475,000 records.
However, this breach is the largest reported by a single healthcare system, as opposed to a government agency such as what happened in Utah and Puerto Rico.
The hospital discovered and shut down a hacked server on December 18. The initial attack happened sometime between December 16 and December 18 and the data was exposed during that time. No other information is available at this time.
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.