Eskenazi patients receive letter in the mail alerting them of cyber security breach 6 months ago

News

INDIANAPOLIS — Roughly three months after Eskenazi Health released a statement announcing a cyber security breach that compromised personal data, some patients are just now receiving that news in the mail.

According to this release posted last month, Eskenazi Health was notified of a cyber attack “on or about August 4, 2021” that resulted in the personal information of some employees and patients being leaked to cybercriminals. However, the same release claims the breach actually happened three months prior “on or about May 19, 2021.”

According to the U.S. Department of Health and Human Services, the breach impacted 1,515,918 individuals. However, some of those potentially impacted are just now receiving notification by mail.

FOX59 was able to obtain a copy of the letter, dated November 11, sent to some patients. It claims “sophisticated cyber criminals had gained access to its network on or about May 19, 2021, using a malicious internet protocol address.” It also identified the following medical, financial, and demographic information that may have been accessed by cyber criminals:

  • Name
  • Date of Birth
  • Age
  • Address
  • Telephone number
  • Email addresses
  • Medical record number
  • Patient account number
  • Diagnosis
  • Clinical information
  • Physician name
  • Insurance information
  • Prescriptions
  • Date(s) of service
  • Driver’s license number
  • Passport number
  • Face photos
  • Social Security Number
  • Credit card information

The letter also outlines access to free credit monitoring systems and identity theft protection. Still, cyber security experts point out those services are only viable for 12 months.

“There’s not one standard nationwide, but generally, we do rely often times on snail mail to let people know about a breach involving personal identifiable information,” said Scott Shackelford, a professor and chairman of Cyber Security Risk Management at Indiana University. “We’re supposed to be notified of any breaches of that type of information without ‘unreasonable delay’ but as you can see here is what’s reasonable is in the eye of the beholder.”

Shackelford suggested that all patients, regardless of how or when they were notified, take advantage of the free services provided, freeze their credit, and set up fraud alerts.

A spokesperson with Eskenazi Health did not respond to our requests for an interview, but did provide clarification as to why some patients are just now being notified of a breach six months ago.

A full transcript of that communication via email is outlined below:

A: I wanted to make sure you understood that there is nothing new since Oct. 1. I understand some people are getting letters. There has not been a delay. This has been all part of the rollout from what we announced on Oct. 1. We determined that the most proactive, all-encompassing approach would be to offer the credit monitoring and identity theft protection to anyone who might have been impacted by this incident. The letters are providing this information. We believe that providing notice and protection casting the widest possible net is the right thing to do and in the best interest of our community.

Here is a link to what we released on Oct. 1: https://www.eskenazihealth.edu/news/update-on-eskenazi-health-cyber-incident

Todd Harper – Spokesperson, Eskenazi Health

Q: Yes – some people are getting letters and thus this is their first direct-notification that their data was compromised. If Eskenazi was made aware in August, but letters are dated/sent November 11th – would you not call that a delay? Are patients expected to constantly check the website for this information? If so, why is the information not posted on the website’s front page?

A: I wanted to stress that we are taking the most proactive, all-encompassing approach by offering the credit monitoring and identity theft protection to anyone who might have been impacted by this incident. The letters dated Nov. 11 are providing this information. We strongly believe that providing notice and protection casting the widest possible net is the right thing to do and in the best interest of our community.

I think you may be going to the wrong website. Here is our front page of our website and as you can see it is on there and has always been on there since we first provided notice.

Todd Harper – Spokesperson, Eskenazi Health

Q: So were these letters sent to everyone who had recently visited Eskenazi? Or just those who actually had their data compromised?

A: Yes, the letters were sent out to anyone who Eskenazi Health has served recently and to offer credit monitoring and identity theft protection to all regardless.  

Todd Harper – Spokesperson, Eskenazi Health

Q: So can you confirm how or when notification was made to those who were directly impacted?

A: Notification started after Oct. and has been ongoing. 

Todd Harper – Spokesperson, Eskenazi Health

Q: And do you know how that notification was and is being made?

A: The first was our public notification Oct. 1 via media and our website and then letters went out after that. 

A: Also, there were different letters that went out to those if it was determined that information was posed on the Dark Web. 

Todd Harper – Spokesperson, Eskenazi Health

Q: Yes, that’s what I was asking about – how were those individuals notified and when? Do you happen to have a copy of that notification?

A: The notifications are specific to each individual so we can’t share those. That being said, the information is very similar to the Oct. 1 release. 

Todd Harper – Spokesperson, Eskenazi Health

Q: I understand! Can you say when that notification went out – specifically to those who were directly impacted by the breach?

A: No, I don’t have that information. 

Todd Harper – Spokesperson, Eskenazi Health

Q: Do you have any information regarding how many people *did have their information leaked?

A: I do not have that total.

Todd Harper – Spokesperson, Eskenazi Health

Q: So just to confirm:

When it comes to anyone who recently visited Eskenazi — they were notified (regardless of if their data was actually leaked) via the Oct 1 release posted on the website here and also by mailed letters.

Can you confirm when those letters started going out and why we’re seeing one dated November 11 (three months after Eskenazi became aware of the breach)?

When it comes to those who were confirmed to have personal data leaked — they received a different form of letter (that you cannot share) and you cannot confirm when those letters went out nor how many people received them?

Is there anything I’m missing here? I’m trying my best to piece together the string of responses you’ve provided thus far.

A: Thanks, I will send you anything else I can confirm when I have it.

Todd Harper – Spokesperson, Eskenazi Health

Q: Thanks, Todd – but I’m confused? Is what I outlined in my last email accurate?

A: Let me summarize everything we talked about. Eskenazi Health determined that the most proactive, all-encompassing approach would be to offer the credit monitoring and identity theft protection to anyone who might have been impacted by this incident. We believe that providing notice and protection casting the widest possible net is the right thing to do and in the best interest of our community.

We are notifying all individuals whose information may have been impacted by this incident, and offering credit monitoring and identity theft protection. The total number is what is posted on the HHS website. Here is the link: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Todd Harper – Spokesperson, Eskenazi Health

Q: That website lists 1.5 million people impacted by the Eskenazi breach. Can that be correct? Are you providing direct notification to those whose information is confirmed to have been leaked? If yes, how is that being communicated and when was/is that being communicated?

A: The 1.5 million is the total number served at Eskenazi Health that I mentioned in my previous emails. For that number –  Eskenazi Health determined that the most proactive, all-encompassing approach would be to offer the credit monitoring and identity theft protection to anyone who might have been impacted by this incident. We believe that providing notice and protection casting the widest possible net is the right thing to do and in the best interest of our community. That is the answer to your first bullet.

As for your second bullet, I answered that already. It has been done through letters.

Todd Harper – Spokesperson, Eskenazi Health

Copyright 2021 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Most Popular

Fun Winter Activities

Home for the Holidays

More Home for the Holidays

Latest News

More News