Computer virus at Cascade Healthcare Community leads to potential unauthorized access of information

Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information. Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.

Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11. The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.

After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised. This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community. At this time, there is no evidence indicating any patient health information was compromised.

“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC. “We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”

To assist our community members, CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.

In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time. All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.

“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”

Individuals may obtain a copy of their credit report, free of charge, whether they suspect any unauthorized activity on their account or not. To receive a credit report, contact any one or more of the following national consumer reporting agencies:

Experian                      TransUnion                 Equifax

888-397-3742              877-322-8228              800-685-1111

 

Questions and Answers

Q:   When/Where did the theft/breach occur?

A:   Despite having an anti-virus security system in place, CHC information technology experts detected a virus attack on Dec. 11. CHC’s IT group worked to immediately halt the attack, and then spent the next several weeks closely monitoring the networks. On Feb. 5, suspicious activity was detected on the CHC computer network, and CHC hired an external information technology forensic team to investigate the incident. After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.

Q:   What happened? What was lost or stolen?

A:   The virus exploited the anti-virus program we were currently running and used its higher-level privileges to cause the security breach. It is possible that credit card and other personal information (names, addresses, dates of birth) may have been compromised from our system applications.

Q: How many people may be impacted by this and exactly whose information was compromised?

A: About 11,500 people’s information may have been compromised due to the security breach. At this time, there is no evidence indicating any patient health information was compromised.

Q:  Is there any way to find out how this virus entered the environment?

A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this. 

Q:   What information was exposed in the breach?

A:   Names, addresses, dates of birth and credit card information might have been exposed to the outside environment. The magnitude of that exposure is not known nor do we know if any credit card information has been specifically used by outside sources to the detriment of individuals.

Q:   What is Cascade Healthcare Community doing about this?

A:   Cascade Healthcare Community notified local law enforcement and is cooperating with the Bend Police Department as we continue our investigation.

Q:   What is Cascade Healthcare Community doing to prevent this from happening in the future?

A.  Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.

Q:   Why wasn’t I notified sooner?

A:  When CHC officials became aware of the breach, we did not initially know if any information had been exposed to outside entities. We notified local law enforcement officials and launched a forensic investigation into the incident. The investigation took some time to complete and included a review of internal security systems to confirm that procedures already in place are strengthened to further safeguard against a breach of data security in the future.

We knew it was imperative that affected individuals were identified and their contact information gathered into a consistent format so they could be notified. All of these steps took time, but we felt it was crucial to have the resources in place so we could best help those affected.

Q: What solutions are you providing?

A:  Cascade Healthcare Community is providing all potentially affected people with access to a credit monitoring service at no cost.

Q:  When will my packet arrive?

A:  The packet for affected individuals, with additional information including a credit report, will arrive in two to three weeks.