Stolen laptop tied to more than 12,000 accounts; CHI Franciscan says no evidence they were accessed

A report filed with a federal agency puts numbers to a patient data breach revealed last month by CHI Franciscan Health.

While a Franciscan official said there’s no evidence the password-protected data has been accessed, the information on a stolen laptop belongs to more than 12,000 current and former patients of CHI Franciscan Health Hospice.

A Franciscan news release sent to The News Tribune in late November said a backpack containing a cellphone, a laptop and a day planner with the employee’s username and password were among the items taken in October.

The heist occurred at a Federal Way apartment complex the morning of Oct. 18, when a man smashed in the front passenger window of a 2016 Toyota RAV4 and snatched a black and gray Targus backpack.

Inside the backpack were a laptop, two cellphones, a spiral notebook and a maroon organizer, according to a police report filed with the Federal Way Police Department obtained by The News Tribune.

The employee holds a state license as a social worker associate, according to state records. Franciscan would not answer questions about her job or whether she is still employed.

In an emailed statement, Cary Evans, vice president of marketing and communications for CHI Franciscan Health, said Franciscan is offering a year of free credit monitoring services to affected patients.

“In addition, we have re-educated staff about security protection measures to help prevent issues like this from happening in the future,” the statement reads.

Franciscan reported the data breach to the U.S. Department of Health and Human Services last month, which indicates the breach included information about 12,413 people.

A 2009 federal law requires health institutions to report thefts of medical data to the federal agency.

For data breaches of more than 500 people, the law requires health agencies to provide a toll-free number for victims to call, to notify the media of the data breach, and to provide information about the breach to the agency no later than 60 days after the breach.

Franciscan reported the data breach to the agency Nov. 28, more than a month after the backpack theft but within the federal guidelines for mandatory reporting.

So far this year, more than 300 data breaches involving 500 patients or more have been reported to the agency nationwide. Washington health agencies have reported 11 data breaches to the agency this year.

One data breach case not yet on the federal list was revealed Wednesday and involves nearly 400,000 current and former Community Health Plan members.

The Seattle Times reported the breach included personal information and Social Security numbers. Someone notified the organization it had a vulnerability in its computer network. A forensic analysis showed member information was accessed without permission.

Franciscan’s stolen laptop contained personal health information of both current and deceased patients, as well as Social Security numbers, demographic information, names of next of kin and phone numbers, the hospital system said in its November news release.

Only three other Washington state data heists, including the Community Health Plan vulnerability, ranked higher than Franciscan’s hospice patient data theft this year: The data of more than 91,187 state Medicaid patients was improperly shared among state employees earlier this year, according to a state news release. And the information of 18,399 Franciscan Highline Medical Center patients was compromised because of unauthorized access of a network server, according to the federal database of medical data breaches.

The Federal Trade Commission lists signs of identity theft that people should be aware of:

▪ Unexplained withdrawals from bank accounts.

▪ Bills or other mail stop arriving.

▪ Your health plan rejects your medical claim because records show you’ve reached your benefits limit.

▪ Debt collectors call about debts that are not yours.

▪ You find unfamiliar accounts on your credit report. Regularly check your credit report for free at annualcreditreport.com.

▪ Those who have had a Social Security number stolen should also file federal and state taxes early to prevent scammers from claiming any refunds.

Two years ago, Franciscan employees were targets of a phishing scheme, which tricked workers into entering their email user names and passwords on an external site. That act allowed hackers access to employee email accounts.

In that 2014 incident, around 8,300 patients were notified of the data breach, but only some medical information was included in the pilfered emails, a CHI Franciscan spokesman said at the time.

According to the FBI, medical identity fraud is on the rise and costs the nation billions of dollars annually, with thieves using medical data to get prescription drugs, medical care and even surgery. People with serious illnesses such as cancer can be in more danger of having health records stolen because they interact with the health system more than other people.

Patients with questions about Franciscan’s data breach can call 877-451-9360 from 8 a.m.-5 p.m. Monday through Friday.

This story was originally published December 22, 2016 at 8:00 AM with the headline "Stolen laptop tied to more than 12,000 accounts; CHI Franciscan says no evidence they were accessed."