Kalispell (Mont.) Regional Healthcare began notifying nearly 130,000 patients Oct. 23 that their information may have been exposed due to a phishing attack, according to the Flathead Beacon.
The health system discovered in June that several employees had provided their credentials to an unauthorized third party. Upon investigation, KRH determined that the hacker may have been able to access data from as early as May.
Patient data that may have been affected included names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, medical histories and treatment information, dates of services, treating and referring physicians, medical bill account numbers and health insurance information. Fewer than 250 patients may have had their Social Security numbers affected.
When KRH discovered that the employees had fallen victim to a phishing attack, the health system immediately disabled the email accounts.
"We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future," said Craig Lambrecht, MD, CEO of the health system, according to the Flathead Beacon. "In addition, we will work with the authorities to hold the perpetrators accountable for this attack against [patient] privacy."
"Our relationship with our patients is our most valued asset," he said. "I want to personally express my deepest regret for any inconvenience that these criminal actions may have caused [patients and their families]."
While there is no evidence that patient information has been misused, KRH is offering patients free credit and identity theft monitoring services for a year. The health system has since taken further steps to minimize the chances of a similar incident happening.