A notice to our patients of privacy incident
May 23, 2022
Washington University School of Medicine is committed to protecting the confidentiality and security of our patients’ and research participants’ information. Regrettably, we recently identified a security incident that may have involved some of that information.
On March 24, 2022, our ongoing investigation into suspicious email activity confirmed that an unauthorized person gained access to certain employees’ email accounts. Upon learning of the incident, we immediately took steps to secure the email accounts, and a computer forensic firm was engaged to assist with our investigation. The investigation determined that the unauthorized access occurred between March 4, 2022 and March 28, 2022. The investigation was unable to determine whether the unauthorized person viewed any emails or attachments in the accounts. However, out of an abundance of caution, we initiated a review of the contents of the accounts to identify what information that may have been accessible to the unauthorized person. This review is ongoing. However, at this time, we’ve identified emails and attachments containing some of our patients’ and research participants’ information, such as names, dates of birth, addresses, medical record or patient account numbers, and clinical information, such as diagnoses, provider names, and/or dates of service. In some instances, health insurance information and/or Social Security numbers have also been identified in the accounts.
This incident did not affect all School of Medicine patients/research participants, but only those whose information was included in the affected email accounts.
As a precaution, we are mailing letters to individuals whose information was identified in the accounts and for whom we have sufficient contact information to mail a letter. We have also established a dedicated, toll-free call center to answer questions that individuals may have about the incident. If you have questions, please call 1-855-503-2708, available Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time. For those whose Social Security numbers are included in the email accounts, we are offering complimentary credit monitoring and identity protection services. We also recommend that affected individuals review statements they receive from their health insurers or healthcare providers. If they see charges for services they did not receive, they should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ and research participants’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment.