Liv Osby reports:
Patients of a Bon Secours St. Francis Health System medical practice are being notified that their personal information may be at risk after a data breach at the practice.
On Jan. 4, officials learned that an unauthorized person had gained access to some systems at Milestone Family Medicine in Greenville, St. Francis said in a statement issued late Friday afternoon.
An investigation was launched and steps were taken to secure the account, according to the statement.
Officials determined that patient information may have included names, dates of birth, Social Security numbers, addresses, health insurance company, and other information related to care provided at Milestone Family Medicine.
Read more on Greenville Online. The following is the text of a notice on Bon Secours St. Francis web site:
St. Francis Physician Services previously employed the physicians at Milestone Family Medicine. St. Francis Physician Services is fully committed to maintaining the privacy and security of its patients’ information. Regrettably this notice regards an incident that may have involved some of that information.
On January 4, 2019, we learned that an unauthorized individual gained access to some systems at Milestone Family Medicine. We immediately took steps to secure the systems and began an investigation. We retained a third party forensic firm to assist us in that investigation. We determined that some patients’ information was contained on one of the servers and may have included patients’ names, dates of birth, addresses, health insurance company, social security number and information related to care received at Milestone Family Medicine.
We have no indication that any patient information has been misused in any way. We are mailing notification letters to affected patients and providing complimentary credit monitoring and identity protection services to those patients whose social security number was on the affected system. We recommend affected patients review the statements they receive from their health care providers. If there are charges for services they did not receive, they should contact the provider.
We deeply regret any concern this may cause. To help prevent something like this from happening in the future, we are enhancing technology management and information security risk oversight. If any patients have questions, please call 1-877-239-1255, Monday through Friday, 9 a.m. to 9 p.m. Eastern Time.
DataBreaches.net reached out to BSHI for clarification on a few points. Although they did not answer the question as to how many patients were being notified, they did explain that Milestone is no longer affiliated with St. Francis Physician Services, “so we cannot comment on anything they are currently doing or any protocols that have been or will be put into place in regards to their health record systems.”
In response to a question about how the attack occurred, the spokesperson responded,
These attacks targeted electronic health record systems that allowed remote user access to the internet. Any internet connections for systems not actively used to support patient care have been shut down to avoid further malicious activity.