Indiana’s DeKalb Health recently announced that some patient information may have been exposed when a server operated by the third-party vendor that runs its Web site “was the target of an overseas hacking attack” (h/t Becker’s Hospital CIO).
The hospital first learned on February 12, 2014 that the personal information of 17 users of its online bill pay Web site may have been accessed, including those users’ names, home addresses, credit card numbers and Social Security numbers. Those 17 people were notified of the breach on March 26, 2014.
Around the same time, DeKalb also discovered that the hackers had set up a fraudulent Web site designed to mimic the donation page for the DeKalb Health Foundation. The hackers targeted DeKalb patients with phishing e-mails linking to the site, and inserted a link to the fraudulent site on DeKalb Health’s own Web site.
About six weeks later, around March 27, 2014, DeKalb learned that a second database on the compromised server may also have been accessed, potentially exposing 24 additional patients’ information, including name, mailing address, e-mail address, phone number, birthdate, Social Security number, hospital ID number, insurance information, general type of service, gender, marital status, religion, race, employer, emergency contact and guarantor. Those 24 people were notified of the breach on April 1, 2014.
Around the same time, the hospital learned that a third database on the compromised server may also have exposed information on approximately 1,320 babies born at the hospital, including their names, weights, lengths, birthdates, parents’ names, and passwords for the hospital’s “Web Babies” site. All affected families were notified on April 24, 2014.
“Since learning of this incident, DeKalb has taken swift and immediate action,” the hospital said in a statement. “The Hospital worked with the third party that operates the compromised server to ensure that the server is no longer utilized for DeKalb purposes. The Hospital also commenced the process of assessing its current relationship with that third party for these services in light of this incident.”
All those affected have been offered one year of free identity monitoring services. Patients with questions are advised to contact (877) 423-0654.