December 27, 2017 – Davis County Hospital (DCH) learned on October 31st, 2017 that an unauthorized individual/hacker had forced their way into the DCH email system via two employee email accounts. The unauthorized individual/hacker then used the employee email accounts to further redistribute additional phishing emails. In addition to having access to email contacts within those email accounts, they would have had access to the emails contained within those accounts.
DCH initiated an investigation as soon as the breach was identified with the support of Mercy Health Network and Trinity Health on ensuring compliance with HIPAA regulatory items. Davis County Hospital, through a thorough investigation, cannot confirm that the intruder actually accessed, viewed, or further disclosed any protected health information contained within the email inboxes that the unauthorized individual/hacker had access to.
Through the investigation, a total of 383 patients were identified that could have had information potentially accessed, including information such as possible name, address, date of birth, and insurance billing information. Of the 383 identified patients, 25 were identified as higher risk, as information included social security numbers, diagnoses, and/or credit card numbers.
“We want patients to know we have moved as swiftly as we possibly could to address the problem as soon as it was detected,” said Kirby Johnson, CEO. “To ensure any impact to the potentially affected patients is minimized, all 383 individuals were sent communication on the potential breach. Those 25 individuals identified as high risk, were also offered one year of support through Experian, a credit monitoring service to put their mind at ease.”
“Phishing emails targeting individuals are increasingly the most common way criminals attempt to gain access to secured networks. Our organization continues to receive high ratings from independent security risk assessment firm FRSecure for risk analysis activities which are performed annually,” stated Christopher Hickie, Director of Information Technology. “Our organization employs numerous industry leading hardware and software security tools and processes to protect our patient’s health information along with ongoing security awareness training to all staff.
“We are actively taking steps to guard against something like this happening again, including adding additional layers of security to the email system along with continuing best practices of using industry leading information security resources, systems, and security awareness training for all staff,” said Hickie.
“Because we value each of our customers, and their trust is important to us, we want our customers to know we are doing our best to ensure security within our system,” said Johnson. “Our top priority will continue to be taking care of our patients and helping them feel confident in us to protect their health information while providing knowledgeable and trustworthy care for our community.”
Patients directly impacted by the potential breach, are encouraged to reach out to DCH with any questions they might have, by contacting our Privacy Officer at toll free number, 1-888-664-2145 between the hours of 8:00am and 5:00pm, Monday – Friday.