Washington University School of Medicine announced today that it began mailing letters to patients whose information may have been involved in a recent incident involving unauthorized access to an employee’s email account.
On Jan. 31, 2020, a School of Medicine investigation into the incident confirmed that an unauthorized person gained access from Jan. 12 to Jan. 13, 2020, to the email account of an employee in the Division of Oncology. The School of Medicine immediately took steps to secure the employee’s account, and a leading computer forensic firm was engaged to assist with the investigation.
The investigation was unable to determine whether the unauthorized person viewed any of the employee’s emails or attachments. Out of an abundance of caution, the School of Medicine reviewed all of the emails and attachments contained in the account to identify patient information that may have been accessible to the unauthorized person.
As a result of that review, between March 16 and March 24, 2020, the School of Medicine determined that emails or attachments in the account contained patient information, which may have included patient names, dates of birth, medical record or patient account numbers, and limited treatment and/or clinical information, such as diagnoses, provider names, and/or lab results. In some instances, patients’ health insurance information and/or Social Security numbers also were included in the account.
This incident did not affect all School of Medicine patients but only those whose information was included in the affected email account.
On March 31, 2020, the School of Medicine began mailing letters to patients whose information was identified in the account. The School of Medicine also has established a dedicated, toll-free call center to answer questions that individuals may have about the incident. Patients with questions can call 1-888-921-0543, Monday through Friday, from 8 a.m. through 5:30 p.m. Central time.
For patients whose Social Security numbers were included in the email account, the School of Medicine is offering complimentary credit monitoring and identity protection services. The School of Medicine also recommends that affected patients review statements they receive from their health insurers or health-care providers. If they see charges for services not received, they should contact the insurer or provider immediately.
To help prevent something like this from happening in the future, the School of Medicine has reinforced education with its staff regarding how to identify and avoid suspicious emails and is making additional security enhancements to its email environment.
Additional information is available here on the School of Medicine’s website.