Cascade Healthcare Community donors affected by malware
Technorati Tag: Security Breach
Date Reported:
3/5/08
Organization:
Cascade Healthcare Community
Contractor/Consultant/Branch:
St. Charles Medical Center (Bend - Redmond)
Victims:
"community members", Donors
Number Affected:
11,500
Types of Data:
Names, addresses, dates of birth and credit card information
Breach Description:
"A computer virus may have exposed the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community in Bend and Redmond"
Reference URL:
Cascade Healthcare Community press release
The Oregonian
The Bend Bulletin
Report Credit:
Cascade Healthcare Community
Response:
From the online sources cited above:
Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information.
[Evan] We would like to think "all health care organizations" have a strong commitment to protecting patient and employee information, but some obviously take this commitment more seriously than others.
Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.
Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11.
The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.
After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.
This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community.
[Evan] Although I think I understand why this information was kept by CHC, I don't agree with CHC's decision to keep credit card information on file. I can see something like this as a statement, "In the best interests of CHC, it's donors and patients, we do not store credit card information".
At this time, there is no evidence indicating any patient health information was compromised.
“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC.
[Evan] Mr. Diegel understands that the information security buck stops with him. As an organizational leader, he understands that he is ultimately responsible for the due care of information assets. I admire Mr. Diegel for addressing this situation personally.
“We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”
CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.
In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time.
All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.
“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”
[Evan] "It is vital that we continue to raise the level of security within the organization". This is one of the best statements I have read from an organization leader in some time. It is vital that ALL of us raise the "level of security" within our areas of responsibility (personally and within our organizations) and explore ways to continuously improve our security posture. This is a never-ending cycle.
A few select FAQ's from the press release:
Q: Is there any way to find out how this virus entered the environment?
A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this.
[Evan] This is all too common. Understand that each and every connection we make from work to an Internet site is a potential (and at times successful) avenue of attack. We weigh the convenience and business benefits of using the Internet against the risk of exposure. It's about balance.
Q: What is Cascade Healthcare Community doing to prevent this from happening in the future?
A. Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.
Commentary:
I am very impressed with Cascade Healthcare Community's press release. The information they provide paints a clear picture of what happened and helps me to feel confident that they know what they are doing. I would just suggest that they not store credit card information anymore (if possible).
Past Breaches:
Unknown
Date Reported:3/5/08
Organization:
Cascade Healthcare Community
Contractor/Consultant/Branch:
St. Charles Medical Center (Bend - Redmond)
Victims:
"community members", Donors
Number Affected:
11,500
Types of Data:
Names, addresses, dates of birth and credit card information
Breach Description:
"A computer virus may have exposed the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community in Bend and Redmond"
Reference URL:
Cascade Healthcare Community press release
The Oregonian
The Bend Bulletin
Report Credit:
Cascade Healthcare Community
Response:
From the online sources cited above:
Like all health care organizations, Cascade Healthcare Community has a strong commitment to protecting patient and employee information.
[Evan] We would like to think "all health care organizations" have a strong commitment to protecting patient and employee information, but some obviously take this commitment more seriously than others.
Unfortunately, CHC was recently the victim of a computer virus that may have made some personal information vulnerable to inappropriate use.
Despite having an anti-virus security system in place, the CHC computer network was hit by a virus on Dec. 11.
The IT group immediately worked to halt the attack and closely monitored the network for several weeks before detecting suspicious activity on Feb. 5. At that time, CHC hired an external information technology forensic team to investigate the incident.
After an exhaustive forensic evaluation, CHC learned Feb. 20 that some personal information stored on our systems may have been compromised.
This information included names, addresses, dates of birth and credit card information for approximately 11,500 members of our community.
[Evan] Although I think I understand why this information was kept by CHC, I don't agree with CHC's decision to keep credit card information on file. I can see something like this as a statement, "In the best interests of CHC, it's donors and patients, we do not store credit card information".
At this time, there is no evidence indicating any patient health information was compromised.
“Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring services at no charge,” said James A. Diegel, FACHE, President and CEO of CHC.
[Evan] Mr. Diegel understands that the information security buck stops with him. As an organizational leader, he understands that he is ultimately responsible for the due care of information assets. I admire Mr. Diegel for addressing this situation personally.
“We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused.”
CHC has contracted with an industry-leading provider of credit monitoring services and is providing free enrollment in a 12-month credit monitoring program for those affected. All potentially affected individuals will receive additional information directly from this agency within the next several days that includes information on enrollment.
In addition to community member information, CHC has learned that usernames and passwords of all CHC employees were also vulnerable for a short period of time.
All caregiver passwords were changed as of 2 p.m. on Thursday, Feb. 21 and there is no evidence that unauthorized users accessed individual patient health information.
“It is vital that we continue to raise the level of security within the organization,” Diegel said. “We are working diligently on all levels of security from educating caregivers on the importance of protecting their passwords to upgrading our virus protections.”
[Evan] "It is vital that we continue to raise the level of security within the organization". This is one of the best statements I have read from an organization leader in some time. It is vital that ALL of us raise the "level of security" within our areas of responsibility (personally and within our organizations) and explore ways to continuously improve our security posture. This is a never-ending cycle.
A few select FAQ's from the press release:
Q: Is there any way to find out how this virus entered the environment?
A: We suspect that it was through an Internet Web browser or through a thumb drive or floppy disk media. We do not know who did this and whether it was done intentionally or by accident. We have no guarantee we will ever find out who did this.
[Evan] This is all too common. Understand that each and every connection we make from work to an Internet site is a potential (and at times successful) avenue of attack. We weigh the convenience and business benefits of using the Internet against the risk of exposure. It's about balance.
Q: What is Cascade Healthcare Community doing to prevent this from happening in the future?
A. Cascade Healthcare Community has examined and analyzed existing procedures and systems to ensure appropriate security measures are in place. We have taken immediate steps to increase our investment and focus in the security area. We have created a multiple-step plan to outline immediate and also longer term steps. New virus software and approaches are developed each and every day worldwide. Our protection is a full-time evolving strategy.
Commentary:
I am very impressed with Cascade Healthcare Community's press release. The information they provide paints a clear picture of what happened and helps me to feel confident that they know what they are doing. I would just suggest that they not store credit card information anymore (if possible).
Past Breaches:
Unknown
Posted by Evan Francen at 3/7/2008 1:57 PM 
Categories: Malware, St. Charles Medical Center, Cascade Healthcare Community
Categories: Malware, St. Charles Medical Center, Cascade Healthcare Community
Posts Atom 1.0
Comments