Hospital Claims Vendor Involved in Security Breach
Westerly Hospital authorities have claimed that a vendor initiated an unauthorized access to its computer system that led to the compromise of records for over 2,200 patients last winter. The Westerly Sun reported this on October 10, 2007.
According to the report, the security breach in February has been linked to the computer of an employee working for a company that has been supporting the hospital with data under a contract. The company's name has not been disclosed for reasons of confidentiality.
According to hospital officials, they aren't aware of any patient's identity was hacked. The data breach involved information that included names of patients, their home addresses, medical and insurance information, and Social Security numbers.
Charles Kinney, CEO of Westerly Hospital, although on vacation, issued a statement on October 10, 2007 to NBC 10 saying that the hospital has an indemnification clause established with its vendor and it was working to estimate the extent of damages the contractor owes them. The hospital was satisfied that the security measures applied at the time of the hack were proper as per their investigation. Kinney added.
Kinney further said that Edward A. Mello, the Police Chief of Westerly, first informed the hospital about the breach on March 28, 2007 at 12:15PM after a female patient noticed something different on the Website.
The woman who entered a search request for her name on the Google search engine found a hit to the hospital Website. The site was not affiliated to Westerly Hospital but it displayed the 'face sheets' of its 2,200 patients.
A 'face sheet' is a form that a patient fills out when he/she first seeks the hospital's medical services. It lists the patient's name, date of birth, address, Social Security number, telephone number, and insurance details.
Hospital authorities contacted the State Department of Health and the State Attorney General. They also notified the Federal Bureau of Investigation (FBI), the U.S. Office of the Attorney General, the Joint Commission (an organization accredited as providers of healthcare), and the California Office of Attorney General.
The Westerly Hospital issued a statement expressing regret about the incident.
Related article: Hospital Employees Deprived of Admin Rights to Keep Computers Secure
» SPAMfighter News - 26-10-2007