No evidence medical records compromised, Franciscan Health says

A Franciscan Health System spokesman Tuesday sought to clarify details of a phishing scam by hackers who penetrated Franciscan Health System’s email network in late January.

About 8,300 of the health system’s patients were notified of the data breach in letters from the health system last week. In addition to medical information, some patients’ Social Security numbers were available to hackers.

However, Franciscan spokesman Scott Thompson said the Tacoma-based medical network’s patients’ “medical records,” which he defined as the all-inclusive collection of medical data and history about those patients, weren’t exposed to outsiders because of the data breach.

“At Franciscan we view a patient’s medical record as a complete record of the patient that includes their demographic information (name, address, birth date, phone number) clinical information (who their physician is, health insurance information, medical diagnosis, treatments they have received, results of medical test, X-rays, ultrasounds, medications they have been prescribed, etc.) This would also include their medical history and next of kin,” Thompson responded in an emailed statement.

“What was contained in our employee’s work email accounts was fragments of demographic and clinical information that do not make up the totality of a patient’s medical record. These fragments constitute patient information under privacy laws, and require us to notify patients that this information has been compromised. This information was contained in emails, spreadsheets, Word documents, etc. and does not make up our medical records,” he wrote.

“We have no evidence that our medical records have been compromised. We also have no evidence that the information in the emails has been used in any way, however, as a precaution, we began sending letters to affected patients on March 28.”

In a late Friday health system news release, the medical provider said the “clinical information” potentially compromised included “treating physician and/or department, diagnosis, treatment received, medical record number, medical service code and health insurance information.”

The hackers obtained the user names and email passwords of about 20 Franciscan Health System staff members by sending them an email message purportedly from Catholic Health Initiatives, Franciscan’s parent company. That message requested that they go to a website where they were to enter their user name and password. The website was phony, designed only to harvest email information.

The phishing scheme was targeted at CHI health workers throughout the country.

Thompson said much of the information in the emails that the hackers could see was incomplete.

“They might have seen, for instance, the surgical schedule for one physician with the names of his patients,” said Thompson.

That information, he claimed, didn’t often include all of the identifying information necessary for the scammers to immediately identify that patient.

That’s why Franciscan’s computer forensic investigators took nearly two months to identify all of Franciscan’s patients whose information was opened to the scammers. The health system realized their email system had been penetrated in late January.

Federal law says medical providers must notify them of a breach involving more than 500 patients within 60 days of their becoming aware of the incident.

Thompson said the hospital notified the federal Office of Civil Rights within the 60-day period.

The Franciscan spokesman turned down requests to interview the health system’s chief executive or other officials about the data theft.

“After talking with our privacy, compliance and IT folks we feel that I’ve already said everything we want to regarding this matter,” wrote Thompson in an email.

Franciscan’s data breach wasn’t unique among medical providers in Washington.

Federal records show 23 medical data incidents involving more than 500 patients in each case in Washington state since 2009.

The largest of those involved more than 76,000 patients of UW Medicine in October 2013, when patient information was potentially compromised in a hacking incident, according to the federal records.

Franciscan has offered to pay for a year of credit monitoring for patients whose Social Security numbers were exposed in the phishing scheme. Those patients received letters telling them how to activate that credit monitoring.