Indiana University graduate workers strike for union recognition, living wage
NEWS

St. Francis patient data involved in breach

Shari Rudavsky
shari.rudavsky@indystar.com
  • St. Francis officials still trying to determine how many patients were potentially affected.
  • Medical Informatics Engineering says the “sophisticated cyberattack” began on May 7.

Update, July 31, 2:35 p.m. After reports of long wait times on the original Medical Informatics Engineering hotline, Franciscan St. Francis has set up its own hotline that will be open 24/7 to help those whose personal information was compromised in the breach.

The number is (888) 438-3638. Hospital officials say the hotline will operate until the wait on the MIE number improves.

Original story:  Many Franciscan St. Francis Health patients are receiving letters this week telling them that their information was compromised in a widespread data breach first identified in May.

The breach, which involved data held by an outside medical software company that contracts with St. Francis outpatient facilities, involved names, addresses, birth dates, Social Security numbers and health records.

Medical Informatics Engineering, the Fort Wayne-based company that maintained the records, reported the incident to the FBI’s Cyber Squad shortly after noticing suspicious activity on its networks on May 26.

St. Francis officials said they were still trying to determine how many of their patients were potentially affected by the incident. The records of patients of almost 200 health care providers across the nation also were involved.

“That we are not alone does not minimize what has happened,” Franciscan  President and Chief Executive Officer Dr. James Callaghan said in a statement. “Unfortunately, data breaches have become a far-too-common phenomenon. As hard as all of us work to protect confidential information, there are highly sophisticated hackers who work just as hard to steal it.”

In a statement released late Wednesday, Franciscan St. Francis Health officials acknowledged that wait times to an MIE hotline have been long and said that MIE was adding staff for the hotline.

MIE said in a statement that the “sophisticated cyberattack” began on May 7. The company said it was working with a team of outside experts in investigating the attack and improving its data security and protection.

In a Q&A posted Tuesday evening on its website, Franciscan Alliance addressed a number of common concerns, including why patients were not notified earlier about the breach. At the beginning of June, MIE informed all of its clients, which include health care facilities across the country, about the incident. On June 10, MIE issued a news release about the incident, and as soon as Franciscan St. Francis heard, the hospital posted a notice on its website.

Franciscan officials say in the Q&A "it was imperative that impacted individuals were identified and their contact information gathered into a consistent format for notification. This investigation was a time-consuming process, but we believed it was necessary to ensure appropriate precautions and next steps were taken."

The Q&A says that all patients for whom MIE could find current addresses were notified. Anyone who is concerned that their information might have been compromised during the breach can call the MIE hotline.

MIE will provide any patients who receive the letter with two years of free credit monitoring and identity protection services.

For more information, patients can call the toll-free number set up by MIE, (866) 328-1987, from 9 a.m. to 9 p.m. Monday through Friday.

Call Star reporter Shari Rudavsky at (317) 444-6354. Follow her on Twitter: @srudavsky.