OMAHA, Neb. (WOWT) – Health care systems across the country have been frequent targets of cyber attacks in recent years and 6 News has learned CHI Health patient information was likely compromised.
CHI Health was recently informed that one of their vendors with access to patient data, MCG Health out of Seattle, was hit by a cyber attack that affected several of their clients, including CHI Health, Avera Health in Sioux Falls, and Kaiser Permanente in Washington state.
When the data was actually first obtained through a cyber-attack and who the attackers remain unclear. A spokesperson for CHI Health referred us to MCG Health, who replied, in an email with a link to their online notification. Interview requests were declined. A banner at the top of CHI’s website “Vendor Privacy Breach Notification June 2022″ provided a link to a company statement that is similar to the MCG Health statement.
MCG Health said in the statement they “determined on March 25, 2022, that an unauthorized party previously obtained certain personal information about affected individuals that matched data stored on MCG’s systems.”
“Upon learning of this issue, MCG took steps to understand its nature and scope,” MCG Health president and CEO Jon Shreve wrote in the online statement. “A leading forensic investigation firm was retained to assist in the investigation. Additionally, MCG is coordinating with law enforcement. MCG has deployed additional monitoring tools and will continue to enhance the security of its systems.”
CHI Health’s notification added more details to the information timeline.
“On April 22, 2022 MCG notified our organization that some of our patients’ data may have been involved in the cybersecurity event. At first, we were hopeful that the information had not been accessed or disclosed. However, after additional analysis, we determined on May 11, 2022 that there is a likelihood that the protected health information of some of our patients may have been compromised.”
The compromised information includes social security numbers, addresses, phone numbers, email addresses, and birth dates. The HIPAA Breach Notification Rule requires the companies to contact those who may have had their information accessed in cyber incidents.
CHI Health’s notification said that MCG will be notifying those impacted “via mailed letter.” Those people will also be given access to identity protection and credit monitoring services for two years at no cost.
MCG has a dedicated call center to answer questions about the cyber attack at 1-866-475-7221.
Copyright 2022 WOWT. All rights reserved.