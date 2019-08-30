VINTON – A data breach at Virginia Gay Hospital earlier this summer happened when one employee clicked on a phishing e-mail and gave access to the hospital’s network.
The breach was announced Aug. 16. Hospital officials became aware of a “data security incident” on June 18. The announcement in August said an email account containing patient information may have been accessed by an unknown third party.
Michelle Schoonover, Virginia Gay Hospital chief executive officer, talked to Vinton Noon Kiwanis members about what happened and made recommendations of protective steps which could be taken based on the hospital’s experiences.
Forensic experts enlisted by the hospital determined patient names, dates of birth, Social Security numbers and medical information may have been compromised.
However, officials have not seen evidence information was accessed. They provided notice to patients who may be affected. Those believed possibly affected have been sent a letter. A call center to answer patients’ questions has been established. The number is: 855-940-0843.
Schoonover said phishing can be targeted against organizations and industries of all sizes. Email fraud in health care has risen 473 percent in the last two years. In July of 2019, three major breaches happened with big companies.
Schoonover said several factors make health care a target for phishing. Health care has aging IT infrastructure. The staff is overworked and there is a lot of identifiable information available, both personal and health related.
“Software is one thing that we can upgrade,” said Schoonover.
Schoonover said it usually takes only one click on an email by one person to open the system up for a breach.
“So, what happened at the hospital,” Schoonover asked.
She said near the end of 2018 they began noticing several people began reporting fraudulent charges on their credit card accounts. This continued after the holidays.
They contacted local law enforcement authorities who advised them to contact the Iowa Attorney General’s Office and the FBI.
“I gotta tell you, we didn’t seem to get much direction from them,” said Schoonover. “I hate to say it. That is what we did and they told us to let them know what we found out.”
One step to protect one’s self after a situation is to close out the affected account and open a new one, said Schoonover.
Several years ago, the hospital’s insurance agent had convinced them to buy a policy for cyber security. That insurance coverage provides a forensic investigator. The email account is reviewed, the network system, connects with other organizations.
It was learned it involved one employee’s email and was linked to Nigeria. They gained access to passwords and emails going back from three to five years.
In addition to passwords and emails, the hackers had access to about 120,000 other documents. Financial information was found in about 5,000 documents.
Schoonover said most of the information was not in patient records, but billing and insurance information.
The Department of Health and Human Services had to be notified along with the affected individuals
Because more than 500 people were involved, the hospital had to issue a notice to the local news media. This was done through the Cedar Rapids Gazette and Cedar Rapids and Waterloo television stations.
The letters mailed to those affected explained how to sigh up for identity protection.
Since the situation was discovered, Virginia Gay Hospital has updated its security measures including the firewall, reviewed policy and procedures, and upgraded password requirements.
“The biggest thing is training and retraining our workforce on what phishing is.” said Schoonover. ‘What to look for, cleaning out your email folders”
Schoonover said their system now will only allow so much email data to be stored before it begins erasing data.
“I apologize for the inconvenience for everyone but thank God it wasn’t a ransom (ware),” said Schoonover.