Washington University School of Medicine in St. Louis issued this notice on Nov. 1:
Washington University School of Medicine announced today that it began mailing letters to patients whose information may have been involved in a recent security incident at its Department of Ophthalmology and Visual Sciences.
On Sept. 3, 2019, the School of Medicine learned that a small number of patients had received a letter regarding an ophthalmology department employee. The School of Medicine quickly began an internal investigation and determined that the letter was sent by an individual who knew the employee. The unauthorized individual took the employee’s personal laptop and used it to access the employee’s School of Medicine email account between April 29 and Sept. 3, 2019. The School of Medicine immediately took steps to secure the employee’s email account, and a leading computer forensic firm was engaged to assist with our continued investigation.
The investigation was not able to determine which, if any, emails or attachments in the employee’s email account were viewed by the unauthorized individual. The School of Medicine, therefore, conducted a review of the emails and attachments contained in the email account to identify patient information that may have been in the account. As a result of that review, on Oct. 21, 2019, the School of Medicine determined that emails or attachments in the account contained patient information, which may have included patient names, dates of birth, medical record numbers, and limited treatment and/or clinical information, such as diagnoses, provider names, and/or prescription information. In some instances, patients’ health insurance information and/or Social Security numbers were also included in the account.
This incident did not affect all School of Medicine patients, but only those ophthalmology department patients who had information contained in the affected email account.
The School of Medicine is mailing letters to patients whose information was found in the account and has established a dedicated, toll-free call center to answer any questions individuals may have about the incident. Patients with questions can call the call center at (844) 996-1023, Monday through Friday from 8 a.m. to 5:30 p.m. central time. For any School of Medicine patient whose Social Security number was contained in the email account, the School of Medicine is offering complimentary credit monitoring and identity protection services. The School of Medicine also recommends that affected patients review statements they receive from their health insurers or healthcare providers. If they see charges for services not received, they should contact the insurer or provider immediately.
To help prevent something like this from happening in the future, the School of Medicine has reinforced education with its staff on best practices for passwords, and are making additional security enhancements.
Information about the security incident also is posted on the School of Medicine’s website and is available by clicking this link.
The notice to patients, available on their site, is a bit more specific and makes clear that the unauthorized individual is someone who had had a personal relationship with the employee.