People receiving health care services through River Region Medical Center or its affiliated physicians and might have been among those whose personal information was lifted by a cyber attack on the hospital’s parent company will soon be receiving information on getting identity fraud protection, TRIAD members learned Wednesday.
“If you are among the people affected, you have either received or will receive a letter in a plain white envelop,” said Leigh White, River Region outreach coordinator. She said the letter inside will not say, “River Region Medical Center,” but will have the name of the clinic or physicians group affiliated with the hospital that treats the person.
Community Health Systems, which owns River Region and other hospitals, reported Aug. 18 in a regulatory filing it was the victim of a cyber attack from China in which Social Security numbers and other personal data was stolen.
The attack involved information on about 4.5 million patients who had personal information hacked over the past five years while being treated by physicians affiliated with Community.
It was believed to be the largest attack of its type involving patient information since the U.S. Department of Health and Human Services began tracking breaches in 2009.
Company officials said the transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and Social Security numbers.
White said the cyber attack hacked into the system of Community Health Systems Professional Services Corp., which provides consulting and information services to clinics affiliated with Franklin, Tenn.-based Community Health Systems, between April and June.
She said Community has since taken steps to improve protection from future attacks and advised users to change their passwords. Community is also working with federal authorities investigating the attack and hired forensic experts to examine its system.
The target of the cyber attack, she said, was information involving proprietary and copyrighted material used by Community, but added the personal information taken in the attack could be used by people to seek credit cards or loans or to file false income tax returns in someone else’s name.
“Of course, we don’t know what their (the hackers) intentions are,” she said.
She said the letter offers people whose information was stolen an opportunity to get identity theft protection through Kroll Cyber Security & Information Assurance of Nashville, Tenn., which has been hired by Community Health Systems. People can contact Kroll through its website printed in the letter or a toll-free number to the company, 855-205-6951, that is open from 8 a.m. to 5 p.m. Monday through Friday.
White said Kroll would offer an identity theft protection program at no charge for one year, which includes credit monitoring and identity theft consultation and restoration.
She also urged people to get a copy of their credit report from a credit-monitoring agency like Experian, Equifax or TransUnion.
“Review it, make sure there’s nothing unusual that you’ve never seen before,” she said. “You know who you have credit with. Look for that information. Monitor your accounts.”
She said no one from Community Health or Kroll would call seeking information.
“If anybody calls you and wants personal information, don’t give it to them,” she said. “It’s not us. The only notification is going to be by letter or email.”
“Please know that all of us, not just at River Region, but corporate-wide are sorry this happened. We are patients, also,” said White, who also received a letter saying her information had been hacked. “We do take your information and the protection of it very seriously.”