Facts about the event
Despite being named in the top quartile for data security readiness by a third party firm, our health system was a victim of a highly sophisticated attack on our information technology systems in the summer of 2019. Safeguarding our patients and their personal information is a top priority, and we want our community to be aware of what happened and how we have addressed it:
- During the summer of 2019, we discovered that several employees were victims of a well-designed email that led them to unknowingly provide their login credentials to malicious criminals.
- We immediately disabled the employees’ accounts, notified federal law enforcement, and launched an investigation, which was performed by a nationally recognized digital forensics firm, to determine whether any personal information was affected.
- On August 28, 2019, we learned that some patients’ personal information may have been accessed without authorization. A deeper investigation specifically determined which patients’ information may have been accessed as early as May 24, 2019.
- Different information may have been involved for each person. The information may have involved a patient’s name, Social Security number, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating/referring physician, medical bill account number and/or health insurance information.
- Although there is no indication that the information was misused, we mailed notification letters to potentially-impacted patients to make them aware of the event and the steps they can take to protect their information.
- All notified patients were offered complimentary fraud consultation and identity theft restoration services. In addition, the notification letters also offer affected individuals 12 months of web and/or credit monitoring services at no charge, depending on what information was involved for that individual.
- In addition, we have taken further steps to revise procedures that will minimize the risk of a similar event from happening again.
We work continuously to prevent similar events from occurring in the future. In addition, we are working with the authorities to hold the perpetrators accountable for this attack against our patients’ privacy.
Frequently Asked Questions
Q: What happened?
We recently learned of a data security incident in which personal information of some KRH patients may have been accessed without authorization. If you received a letter, your personal information may have been involved.
Q: I received a letter. What should I do?
The notification letter that you received contains information about the incident, including the types of information that may have been impacted and describes steps that you can take to help protect your information.
Q: Was my personal information involved?
If your personal information was involved you will receive a letter contains information about the incident, including the types of information that may have been impacted and describes steps that you can take to help protect your information.
Q: What information about me was accessed?
Different information may have been involved for each person. The specific information was noted in the letter you received.
Q: Has my information been misused?
We are not aware of any misuse of the information that may have been accessed. Please follow the steps listed in the notification letter.
Q. How do I know my information is safe?
We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future.
*All notified individuals were offered complimentary fraud consultation and identity theft restoration services. In addition, the notification letters also may offer affected individuals 12 months of complimentary monitoring services, which may include identity monitoring or credit monitoring services, depending on what information was involved for that individual.