Tacoma’s Franciscan Health System is notifying some 8,300 patients that their personal information — including in some cases medical records and Social Security numbers — may have been shared with computer scammers who accessed staff email accounts.
Franciscan estimates more than 12,000 patients nationwide had files potentially breached.
Franciscan’s total of 8,300 patients potentially affected in the South Sound was the largest in the Catholic Health Initiatives network. CHI is the parent company of Franciscan.
The employees, most of them employed by Franciscan Medical Group, responded to late January phishing emails that appeared to be coming from CHI. Those messages, composed by computer hackers, not by CHI, asked Franciscan employees to go to another site where they were to enter their email user names and passwords.
While much of the information available to the scammers in the email accounts may have included routine biographical information on patients such as name, age, address and phone numbers, in some cases medical diagnoses and treatment plans also may have been included in the records exposed to the hackers.
Franciscan spokesman Scott Thompson said the phishing expedition was a nationwide effort targeting CHI health systems’ employees. Fewer than 20 Franciscan staff members responded to those email messages and entered their user names and passwords.
The health system, whose Puget Sound network includes St. Joseph Medical Center in Tacoma, St. Francis Hospital in Federal Way, Highline Medical Center in Burien, St. Elizabeth Hospital in Enumclaw, St. Clare Hospital in Lakewood, St. Anthony Hospital in Gig Harbor and Harrison Hospital in Bremerton and dozens of clinics and specialty centers, said it froze those affected email accounts.
The health system hired computer forensic experts to determine the extent of the data breach and to track down the perpetrators. The medical system also enlisted the FBI and the Secret Service in the investigation.
The FBI declined to comment or to even confirm that it was investigating the matter, citing its longstanding policy of not discussing complaints or pending investigations.
The computer forensic experts spent the past two months compiling lists of those whose information was exposed to the outsiders and trying to identify the scammers.
The Franciscan spokesman said it took the health system two months to notify patients because some of the information contained in the compromised emails was fragmentary.
“It took some time to put that information together with names and addresses,” he said.
Washington law requires businesses or individuals who collect personal data to disclose any breach of security in which their data was reasonably believed to have been obtained by unauthorized persons.
The disclosure of the data compromise to those affected “shall be made in the most expedient time possible and without unreasonable delay.”
Donn Moyer, State Department of Health spokesman, said the department is considering opening a complaint file based on the breach.
“We have not been notified by Franciscan nor have we received any complaint from someone whose data might be involved,” said Moyer in a statement.
Federal health information privacy laws similarly require medical entities to provide notification following a breach of unsecured protected health information.
No one has yet been arrested in the data theft. Investigators have traced the original phony emails to an IP address at a small California college, Thompson said.
Patients whose personal information was potentially compromised are receiving letters from Franciscan detailing the computer incident. Those among them whose Social Security numbers were in the data accessible to the hackers are being offered a year of free credit monitoring.
The health system has established a toll-free phone line for Franciscan patients who have questions about whether their personal information was available to the hackers. That number is 877-283-6556.
Thompson said the health system has not been notified of any incidents in which the stolen information was used to gain access to patients’ bank or credit accounts or to apply for new credit in their names.
The data thieves also targeted other CHI medical employees, including those of Louisville-based KentuckyOne Health and other smaller CHI health facilities across the country. Franciscan and KentuckyOne were the only health systems where more than 500 patients’ records were potentially exposed to outsiders, said the Franciscan spokesman.
Franciscan has retrained the employees who responded to the email phishing effort, and the health care concern will soon be rolling out a systemwide phishing prevention update for all of its employees, the health system spokesman said.
“Franciscan Medical Group is committed to protecting patient privacy, and we deeply regret any inconvenience this incident may have caused our patients,” said Betty Doyle, regional privacy officer for Franciscan.Staff writer C.R. Roberts contributed to this report.
John Gillie: 253-597-8663