Identity protection offered for free to some of the patients

Mar 17, 2015 12:00 GMT  ·  By

Personal information, including billing account numbers, of about 14,000 patients of the Sacred Heart hospitals in Florida has been exposed in a cyber-attack on a third-party billing vendor used by the health care organization.

News of the incident emerged on February 2, 2015, when the vendor contacted Sacred Heart and informed that an employee’s email account containing data on the affected patients had been compromised.

Attack was detected on December 4, 2014

The information exposed included patient names, dates of service, dates of birth, diagnosis and procedures, billing account numbers, total charges, and the names of the treating physicians.

Using these details, an ill-intended individual could try to extract more data straight from the victims in order to gain access to bank accounts or to trick them into paying non-existent medical bills via prepaid cards, via direct phone calls.

It appears that in the case of 40 patients the social security number (SSN) was also revealed to the hackers. Sacred Heart informs that medical records or billing records were not accessed by the attacker.

The third-party vendor detected the attack on December 3, 2014, and the immediate measure taken to mitigate further risks was to revoke the username and password for the compromised email box, according to an official notification from Sacred Heart released on Monday.

There is no information about how the perpetrator managed to steal the credentials for the email account.

Identity protection services offered for those with the SSN exposed

The parties impacted by the incident have been identified following an investigation that involved efforts from Sacred Heart, the billing vendor and computer forensics experts contracted specifically for this purpose.

All affected individuals are currently notified by the health care entity through various communication channels, such as letters delivered through the US Post service and notices published in prominent media outlets in the area.

Sacred Health offers a one-year free subscription for identity protection and monitoring services to all those whose SSN was exposed as a result of the attack.

The organization has contacted its email service provider for advice on how the security program can be improved to avoid such incidents in the future.