An investigation into a data breach that took place at Rutland Regional Medical Center in recent months found that information pertaining to 72,224 patients may have been stolen as well as almost 4,000 Social Security numbers.
“There’s no doubt about it, that’s a very high number. We’re very concerned about that,” Claudio Fort, president and CEO of RRMC, said Friday.
A statement released by RRMC said staff members at the hospital in Rutland have not received any reports that personal information has been misused as a result of the breach.
Officials at the health care system don’t know what, if any, specific information was actually accessed, viewed or acquired but the email accounts affected included, among other items, data files containing the types of demographic information used for health care billing such as patient names, contact information and medical record numbers.
The information on the email accounts contained 3,683 Social Security numbers as well.
Fort said the hackers weren’t able to get into the electronic medical records system. But, he said, some of the employee email accounts had large data files that may have included some basic description of a patient’s diagnosis.
“It’s a limited amount but still, even the fact of identifying whether someone was a patient here at the hospital, we consider it a HIPAA (Health Insurance Portability and Accountability Act) security incident, and we take that very seriously,” Fort said.
Fort said as the CEO of the hospital, he takes personal responsibility for the data breach.
“I have to tell you, when something like this happens, I can’t express how sorry I am to the community about this. Our highest level of responsibility is protecting patient information and safeguarding that. They entrust us with that information and when something like this happens, we really take it to heart,” he said.
According to the RRMC press release, the information technology department at the hospital determined Dec. 31 that an unknown person or people had gained unauthorized access to an employee’s email account.
Hospital administrators brought in a third-party forensic expert to conduct a full system review. The investigation determined the email accounts of nine employees had been breached between Nov. 2 and Feb. 6.
The hospital has notified the media, the U.S. Department of Health and Human Services and the Vermont attorney general’s office about the breach.
Notification has been posted on the hospital’s website, www.rrmc.org. Notices will also be posted to some media outlets notice letters will be mailed to affected patients.
In its statement, RRMC staff said the health care system will offer credit monitoring as well as credit restoration services if necessary, to those patients whose Social Security numbers may have been accessed.
John Quinn, secretary of the Vermont Agency of Digital Services, said when there’s a large data breach in Vermont, the state’s security group wouldn’t get involved unless they were asked.
According to Quinn, a data breach like the one reported by RRMC, is not uncommon.
“Bad actors and people trying to steal data don’t necessarily have boundaries on where they look. Vermont is just as vulnerable as any other state or any other business,” he said.
Quinn, in his capacity as secretary, is the state’s chief information officer.
Fort said RRMC administrators are taking steps to train staff to recognize the kind of scam email that might allow someone to access their account. Staff members have been instructed to change their passwords.
The hospital has recently hired two cybersecurity experts, and more than $200,000 in new information security software was purchased in the past year, Fort said.
A team of information technology staff from the hospital will meet with Microsoft experts to discuss ways to prevent future data breaches.
With the investigation underway, Fort said hospital staff had no reason to think the information was taken by RRMC employees. Instead, hospital administrators believe the data breach was perpetrated by people outside of the United States.
“Despite everything we do, when (an incident like) this happens, it erodes a little bit of the public trust and we work so hard to earn that. All I can say is that everything that’s possible, and this is not a financial thing, anything we can do to try to put further safeguards to prevent this from happening again, we are committed to doing,” Fort said.
A dedicated assistance line at 855-742-6198 has been set up by the hospital for people seeking more information about the data breach to call between 9 a.m. and 9 p.m., Monday through Saturday.
Quinn said those residents who fear their information may have been compromised can contact the Vermont attorney general’s consumer protection hotline.
He also reminded Vermonters to be very cautious about how frequently they update passwords and what emails they open and websites they visit.
“Breaches are happening more and more. Attacks are becoming more and more sophisticated. It’s going to get harder and harder to protect your data,” Quinn added.