June 22 — CHI St. Luke’s Health-Memorial Lufkin announced today that it has taken action after becoming aware of an incident that took place on April 23, 2020 in which an unapproved third party gained access to patient information. Though we have no evidence to confirm that information was actually viewed or obtained by the unknown outside party, CHI St. Luke’s Health-Memorial Lufkin is providing notice of this event to potentially impacted individuals as well as certain regulators out of an abundance of caution.
What Happened?
On April 23, 2020, we discovered that patient information in two employee email accounts could have been accessed by an unapproved outside party. Though we have no evidence to confirm that information was actually viewed or obtained by the individual, we cannot totally rule it out as a possibility. We discovered the potential exposure as we were investigating a security event involving one of our servers, which we learned about on March 25, 2020.
The information that may have been accessed included patients’ names, diagnosis, dates of services, and facility account number. Based on the circumstances there is no evidence that any other information was accessed or that patients’ information has been used inappropriately.
CHI St. Luke’s Health-Memorial Lufkin has established a call center with its partner, Kroll, to assist in answering any questions impacted individuals may have. For more information, call at 1-844-961-2413, Monday through Friday from 9:00 a.m. to 6:30 p.m. Eastern Time, excluding major U.S. holidays.
What We Are Doing.
CHI St. Luke’s Health-Memorial Lufkin is committed to protecting the security and confidentiality of our patient’s protected health information. An internal investigation was launched by the CHI St. Luke’s threat management team, and vendors were engaged to conduct a forensic investigation. The investigation included engaging forensic experts, interviewing employees, reviewing data and access logs, conducting threat intelligence analysis, and reviewing various data file types in order to determine what if anything had happened. The patients’ electronic health records were not involved. CHI St. Luke’s Health-Memorial Lufkin has taken steps to confirm that its network remains secure, and it is continuing to work with law enforcement and forensic experts. Additionally, CHI St. Luke’s Health-Memorial Lufkin has reset password across the facility, replaced and upgraded hardware, made changes relating to software, and changed processes for accessing the network.
What You Can Do.
CHI St. Luke’s Health encourages individuals to remain vigilant against incidents of identity theft and fraud, to review their bank and credit statements, and to monitor their credit reports for suspicious activity. Under U.S. law individuals are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order a free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. Individuals may also contact the three major credit bureaus directly to request a free copy of their credit report. Additionally, certain individuals affected by this incident may be eligible for Experian Credit Monitoring at no cost for up to a year. For more information about protecting personal information, impacted individuals may contact the FTC for resources.
Source: CHI St. Lukes Health Memorial