Milwaukee-based Froedtert Health has issued a notice on its web site:
Froedtert Health and our affiliates are committed to maintaining the privacy and security of the personal information provided to us. Our affiliates include Froedtert Hospital, Community Memorial Hospital of Menomonee Falls, St. Joseph’s Community Hospital of West Bend, Froedtert Health Medical Group (also known as the West Bend Clinic and formerly known as Medical Associates of Menomonee Falls), West Bend Surgery Center, and Kettle Moraine Anesthesiology. Regrettably, the purpose of this notice is to inform you of an incident involving some of that information.
On December 14, 2012, we learned that a computer virus may have allowed an unauthorized person to access a Froedtert Health employee’s work computer account. We found no evidence that any unauthorized person accessed any personal information or medical records. As a precaution, we felt it was important to tell you this occurred.
We immediately began an investigation and hired an expert computer forensics company to examine what happened. The forensics company could not definitively rule out the possibility the virus was able to obtain information stored in the employee’s work computer account. A file in the employee’s work computer account contained some patients’ information, including names, addresses, telephone numbers, dates of birth, medical record numbers, names of health insurers, diagnoses, other clinical information, and in some instances Social Security numbers. Financial information was not stored in any files in the employee’s work computer account.
We have set up a call center with a toll-free help line for patients who have questions. The phone number is 1-855-770-0006. When prompted, please enter the following 10-digit reference code: 5764020813. The call center is staffed weekdays from 8 am until 5 pm Central time. Also, if you have concerns about this situation and have not received a letter from us by March 5, 2013, please call the help line with your questions.
We deeply regret any concerns this may cause our patients. Protecting the privacy and confidentiality of the personal information we maintain always has been one of our highest priorities. Unfortunately, such computer attacks are increasingly common, affecting organizations worldwide. We continually update our computer virus protection and are conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future.
Jesse Garza of the Journal Sentinel reports that 43,000 patients may be affected and that fewer than 3% of the files on the employee’s computer contained Social Security numbers.
Looking at the Froedtert statement again, though, I just realized that although they say they discovered the problem in December, they don’t state when the system actually got infected or how it get infected. And once again, we should note the difference between their statement that “we found no evidence” (of access) vs. their forensics firm saying “We can’t definitively rule out access.” Absence of evidence is not …. you know the rest.