More than 35K letters were sent out to patients after phishing attack on Roper St. Francis

More than 35K letters were sent out to patients after phishing attack on Roper St. Francis
Hospital officials learned someone may have gained unauthorized access to 13 employee email accounts.

CHARLESTON, SC (WCSC) -Information provided by the U.S. Department of Health and Human Services shows that Roper St. Francis sent out more than 35,000 letters to patients who may have been affected by a November 2018 phishing attack.

The total number of 35,253 letters were sent out because the 13 teammates’ email accounts that may have been compromised contained some form of health information of 35,253 patients.

“The vast majority of those people only had limited information included, for example some combination of name, date of birth, address, or treatment information,” Roper spokesman Andy Lyons said Friday.

Roper learned that 25 of those 35,253 people may have also included their social security number, so they offered free credit monitoring to those whose social security numbers could have been compromised. Lyons underlined that Roper has no reason to believe any of the information was actually viewed or used and that the letters were sent to notify all potentially affected by the incident.

The letter from Corporate Privacy Officer Elizabeth Willis states in part, “out of an abundance of caution we want to advise you of a recent incident that may have involved some of your information....Our investigation determined that some of your information may have been contained in the email accounts, including your name, date of birth and information related to the care you received at Roper St. Francis. Again, we have no indication that any of your information has been misused, and we want to assure you that we take this matter very seriously. We recommend that you review the billing statements you receive from your healthcare providers. If you see services you did not receive, please contact the provider immediately.”

The full letter can be found below:

The letter that Roper St. Francis sent to patients after the phishing attack (Source: Provided)
The letter that Roper St. Francis sent to patients after the phishing attack (Source: Provided)

Under section 13402(e)(4) of the HITECH Act, the Secretary of Health and Human Services must make a list of breaches of unsecured protected health information affecting 500 or more individuals publically available.

Lyons added that there has been no evidence anyone has misused patient or employee information.

“We are fortunate to have dedicated Information Security professional employed to identify and stop potential cyber threats,” Lyons said Friday. “Each day, our Information Security team identifies and prohibits 70,000 rogue emails from accessing our network and more than 40,000 attempts to break through our firewalls.”

The attack remains under investigation by the HHS office for civil rights.

Copyright 2019 WCSC. All rights reserved.