Some of the patient and employee data stolen during a cyberattack on Eskenazi Health in May has been posted on the dark web, the health care provider said in a statement Friday.
Eskenazi Health had said in August that there was no evidence that the attack led to bank or credit card fraud, but the health care provider is now advising people to check with credit reporting agencies and get free credit monitoring and identity theft protection.
Eskenazi Health is part of Marion County Health & Hospitals Inc. which also includes the Marion County Department of Public Health, Indianapolis Emergency Medical Services and Sidney & Lois Eskenazi Hospital.
The stolen data includes medical, financial and demographic information about patients and employees, Eskenazi said. Information posted on the dark Web may include names, dates of birth, ages, addresses, phone numbers, e-mail addresses, medical record numbers, patient account numbers, diagnoses, clinical information, physician names, insurance information, prescriptions, dates of service, driver's license numbers, passport numbers, facial photos, Social Security numbers and credit card information.
For deceased patients, this information may also include cause of death and date of death.
Those affected by the data breach will receive letters detailing which specific types of information about them were involved.
The data breach occurred around May 19, and a press release from Eskenazi Health said the healthcare provider learned of the breach around Aug. 4 and took its network offline "to protect its information and maintain the security and integrity of patient care.
Eskenazi said in late August that it had notified the Federal Bureau of Investigation, which is working with the healthcare provider on the investigation.
Virtru, a data encryption and digital privacy provider, said healthcare data security is a major challenge. They cite health information exchange, electronic records, user error in technology adoption, hacking, cloud and mobile technologies and outdated technology in hospitals as the biggest challenges facing healthcare providers.
Eskenazi Health made the announcement, saying it is making changes and working to identify areas for improvement:
News release
“Indianapolis, October 1, 2021 — Eskenazi Health has announced that a cyberattack conducted by cyber criminals and discovered by Eskenazi Health on or about August 4, 2021, resulted in the compromise of personal information of some employees and patients, including health information. Eskenazi Health, a public hospital division of the Health & Hospital Corporation of Marion County (HHC), is leading the investigation on behalf of HHC and its divisions.
“The Cyberattack and Eskenazi Health’s Response
“On or about August 4, 2021, Eskenazi Health’s information security team became aware of suspicious activity on its system. Upon detecting this activity, Eskenazi Health immediately took steps to take its network offline in order to protect its information and to maintain the safety and integrity of patient care. Eskenazi Health has a comprehensive clinical information system and followed its established downtime procedures.
“In accordance with its information security protocols, Eskenazi Health promptly investigated this activity to identify the scope and nature of the attack and determined that sophisticated cyber criminals had gained access to its network on or about May 19, 2021, using a malicious internet protocol address. The cyber criminals also disabled security protections, which made it difficult to detect their activity until they launched the cyberattack.
“Eskenazi Health values its patients, employees and providers and is committed to privacy. We quickly engaged an independent forensic team to investigate and contain the incident and to protect against further criminal activity. Eskenazi Health’s forensic team conducted an extensive investigation and assisted Eskenazi Health with mitigation steps to ensure the cyber criminals were no longer on its network. Eskenazi Health also notified the FBI and enabled additional security measures to further enhance its network security. There is no evidence that any files were ever locked by the cyber criminals, and Eskenazi Health did not make a ransom payment to the cyber criminals.
“Despite Eskenazi Health’s efforts, data was stolen from its network by the cyber criminals and they released some of the data on a portion of the Internet known as the dark web. This data included certain personal and health information of some patients and employees of HHC. Impacted individuals are discussed below.
“Eskenazi Health is constantly evaluating its security systems and will continue to make improvements as necessary to protect the privacy and security of information on an ongoing basis. Eskenazi Health has been proactive in its efforts to implement policies, procedures, and safeguards to prevent data compromises from occurring in the future and has worked with its forensic team to identify any areas for improvement.
“The Information Affected
“Through its review of data, Eskenazi Health has determined that medical, financial, and demographic information of certain individuals was obtained by the cyber criminals and posted on the dark web. The information impacted may include: name, date of birth, age, address, telephone number, email addresses, medical record number, patient account number, diagnosis, clinical information, physician name, insurance information, prescriptions, date(s) of service, driver’s license number, passport number, face photos, Social Security number, and credit card information. In the case of deceased patients, this information also may include cause of death and date of death. Impacted individuals will receive a letter detailing which specific types of their information were involved in the incident.
“The Information Affected
“Through its review of data, Eskenazi Health has determined that medical, financial, and demographic information of certain individuals was obtained by the cyber criminals and posted on the dark web. The information impacted may include: name, date of birth, age, address, telephone number, email addresses, medical record number, patient account number, diagnosis, clinical information, physician name, insurance information, prescriptions, date(s) of service, driver’s license number, passport number, face photos, Social Security number, and credit card information. In the case of deceased patients, this information also may include cause of death and date of death. Impacted individuals will receive a letter detailing which specific types of their information were involved in the incident.
“Impacted Individuals
“Impacted individuals, or their loved ones, may wish to review information maintained by each of the credit reporting bureaus and any applicable financial institutions to detect any suspicious activity. Contact the credit bureaus at the following numbers:
“· Equifax 800-525-6285
“· Experian 888-397-3742
“·Trans Union 800-680-7289
“Identity theft protection, including credit monitoring, is available for impacted individuals at no cost to them. Instructions on how to enroll in the identity theft protection program will be included in each impacted individual’s letter. If Eskenazi Health becomes aware of any additional material information, it will make such information available via its incident website, located here: https://www.eskenazihealth.edu/cyber-incident.
“Individuals who have additional questions regarding this incident should contact (855) 896-4446. Please be prepared to provide Engagement Number B019316 when speaking with a representative.
“About Eskenazi Health
“For more than 160 years, Eskenazi Health has provided high-quality, cost-effective, patient-centered health care to Central Indiana. Accredited by The Joint Commission, nationally recognized programs include a Level I trauma center, regional burn center, comprehensive senior care program, women’s and children’s services, teen and adolescent care programs, Lifestyle Health & Wellness Center, Sandra Eskenazi Mental Health Center, and a network of primary care sites located throughout the neighborhoods of Indianapolis known as Eskenazi Health Center. In partnership with the Regenstrief Institute, Eskenazi Health conducts groundbreaking work that informs health information technology around the globe. Eskenazi Health also serves as the sponsoring hospital for Indianapolis Emergency Medical Services. As the public hospital division of the Health & Hospital Corporation of Marion County (HHC), Eskenazi Health partners with the Indiana University School of Medicine whose physicians provide a comprehensive range of primary and specialty care services. In 2013, the Sidney & Lois Eskenazi Hospital opened, providing a new modern and efficient facility and becoming Central Indiana’s first Leadership in Energy and Environmental Design (LEED®) Gold health care campus. Eskenazi Health has been named one of Becker’s Hospital Review’s “150 Top Places to Work in Healthcare” for the past four consecutive years.”
News release from Eskenazi Health