Patients whose financial, medical and other personal information were involved in the May ransomware attack that hit the Ascension Health system, which included hospitals in Birmingham and Mobile, will be notified after the health system completed its review of the incident earlier this month.
These patients, the system said, will be offered free credit monitoring and identity theft prevention services, and will receive letters notifying them that their information was involved in the attack.
Ascension said Dec. 19 that it completed its review into the attack, which the health system said was caused by a worker who downloaded a “malicious file.”
The health system said the data involved “varies,” but may include: medical information such as medical record numbers and lab tests; payment information, such as credit card and bank account numbers; insurance information, such as Medicaid and Medicare IDs, policies numbers or insurance claims; government identification, such as Social Security numbers, tax ID numbers, driver’s license numbers and passports numbers; and other personal information, such as dates of birth or addresses.
“Although patient data was involved, importantly, there remains no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored,” Ascension said in its Dec. 19 update on the attack.
Letters notifying impacted patients would be sent out over the next one to two weeks, the health system said.
The attack, which was discovered May 8, paralyzed the St. Louis-based health system’s computers and led Ascension to remove its hospitals’ access to electronic patient records. Ascension announced in June that access was restored at its Alabama facilities.
Ascension Health operated five hospitals in the Birmingham metropolitan area, including St. Vincent’s Hospital, at the time of the attack.
The hospitals were since acquired by UAB Hospital.
Providence Hospital in Mobile, which had been owned by Ascension before it sold the facility to the University of South Alabama last year, was also impacted because it remained on some of Ascension’s IT systems.