December 22, 2017
Potential Information Breach at Davis County Hospital
Davis County Hospital (DCH) learned on October 31st, 2017 that an unauthorized individual/hacker had forced their way into the DCH email system via two employee email accounts. The unauthorized individual/hacker then used the employee email accounts to further redistribute additional phishing emails. In addition to having access to email contacts within those email accounts, they would have had access to the emails contained within those accounts.
DCH initiated an investigation as soon as the breach was identified with the support of Mercy Health Network and Trinity Health on ensuring compliance with HIPAA regulatory items. Davis County Hospital, through a thorough investigation, cannot confirm that the intruder actually accessed, viewed, or further disclosed any protected health information contained within the email inboxes that the unauthorized individual/hacker had access to.
Through the investigation, a total of 383 patients were identified that could have had information potentially accessed, including information such as possible name, address, date of birth, and insurance billing information. Of the 383 identified patients, 25 were identified as higher risk, as information included social security numbers, diagnoses, and/or credit card numbers.
Davis County Hospital wants patients to know we have moved as swiftly as we possibly could to address the problem as soon as it was detected. To ensure any impact to the potentially affected patients is minimized, all 383 individuals were sent communication on the potential breach. Those 25 individuals identified as high risk, were also offered one year of support through Experian, a credit monitoring service to put their mind at ease. For those offered one year of support through Experian, please ensure you enroll by March 31, 2018 utilizing the information provided in your personalized letter; your activation code will expire after this date.
Phishing emails targeting individuals are increasingly the most common way criminals attempt to gain access to secured networks. Our organization continues to receive high ratings from independent security risk assessment firm FRSecure for risk analysis activities which are performed annually. Our organization employs numerous industry leading hardware and software security tools and processes to protect our patient’s health information along with ongoing security awareness training to all staff.
Davis County Hospital is actively taking steps to guard against something like this happening again, including adding additional layers of security to the email system along with continuing best practices of using industry leading information security resources, systems, and security awareness training for all staff.
Because we value each of our customers, and their trust is important to us, we want our customers to know we are doing our best to ensure security within our system. Our top priority will continue to be taking care of our patients and helping them feel confident in us to protect their health information while providing knowledge and trustworthy care for our community.
Potentially affected patients were mailed notices informing them of this incident. We are also providing this website notice because we anticipate that certain patients may have moved or may not be reachable by mail. Patients directly impacted by the potential breach, are encouraged to reach out to DCH with any questions they might have, by contacting our Privacy Officer at toll free number, 1-888-664-2145 between the hours of 8:00am and 5:00pm, Monday – Friday.
What You Should Do if You Think Your Identity Has Been Stolen
If you become a victim of identity theft, or even suspect that you might be a victim, take immediate action.
- Contact one of the credit reporting agencies’ fraud alert departmentsand place a fraud alert on your credit report.
- Contact your lenders, banks, and insurance companies and let them know the situation.
- File a police report—it is proof of the crime.
- Periodically check your credit reportsover the next year to make sure no new fraudulent activity has occurred.
Please understand that Davis County Hospital takes our responsibility to safeguard your personal information very seriously, and deeply regret that this incident has occurred. Although the risk is very low for the misuse of the data contained in these emails, please be assured we are taking every possible step to ensure your information remains private. We regret any inconvenience or concern this situation may cause our patients.\