A notice to oncology patients of a privacy incident
March 31, 2020
Washington University School of Medicine is committed to protecting the confidentiality and security of our patients’ information. Regrettably, this notice concerns a security incident that may have involved some of that information.
On Jan. 31, 2020, our investigation into an email incident confirmed that from Jan. 12, 2020 to Jan. 13, 2020, an unauthorized person gained access to the email account of a research supervisor in the Division of Oncology. Upon learning of the incident, we immediately took steps to secure the employee’s account, and a leading computer forensic firm was engaged to assist with our investigation. The investigation was unable to determine whether the unauthorized person viewed any emails or attachments in the account. Out of an abundance of caution, we reviewed all the emails and attachments contained in the account to identify patient information that may have been accessible to the unauthorized person. As a result of that review, between March 16, 2020 and March 24, 2020, we determined that emails or attachments in the account contained patient information, which may have included patient names, dates of birth, medical record or patient account numbers, and limited treatment and/or clinical information, such as diagnoses, provider names, or lab results. In some instances, patients’ health insurance information and/or Social Security numbers were also included in the account.
This incident did not affect all School of Medicine patients, but only those patients whose information was included in the employee’s email account.
As a precaution, we are mailing letters to patients whose information was identified in the account. We also have established a dedicated, toll-free call center to answer patients’ questions. If you have questions, please call 1-888-921-0543, Monday through Friday, from 8:00 a.m. and 5:30 p.m. central time. For those patients whose Social Security numbers were included in the email account, we are offering complimentary credit monitoring and identity protection services. We also recommend that affected patients review any statements they receive from their health insurers or healthcare providers. If patients see charges for services not received, they should contact the insurer or provider immediately.
We regret any concern or inconvenience this incident may cause. We remain committed to protecting the confidentiality and security of our patients’ information. To help prevent something like this from happening in the future, we have reinforced education with our staff regarding how to identify and avoid suspicious emails and are making additional security enhancements to our email environment.