Washington University School of Medicine (the “School of Medicine”) recently announced that it began mailing letters to patients whose information may have been involved in a recent incident involving unauthorized access to employee email accounts.
On March 24, 2022, a School of Medicine investigation into the incident confirmed that an unauthorized person gained access to certain employee email accounts. The School of Medicine immediately took steps to secure the accounts, and a computer forensic firm was engaged to assist with the investigation. The investigation determined the unauthorized access to the employee email accounts occurred between March 4, 2022 and March 28, 2022.
The investigation was unable to determine whether the unauthorized person viewed any of the emails or attachments in the accounts. Out of an abundance of caution, the School of Medicine initiated a review of the contents of the accounts to identify what information may have been accessible to the unauthorized person. This review is ongoing. However, at this time, the School of Medicine has identified emails and attachments within the accounts containing patient and research participant information, including names, dates of birth, addresses, medical record or patient account number, and clinical information, such as diagnoses, provider names, and/or dates of service. In some instances, health insurance information and/or Social Security numbers have also been identified in the accounts.
This incident did not affect all School of Medicine patients/research participants, but only those whose information was included in the affected email accounts.
On May 23, 2022, the School of Medicine began mailing letters to individuals whose information was identified thus far. Upon completion of its ongoing review, the School of Medicine will mail letters to additional individuals whose information is included in the accounts and for whom the School of Medicine has sufficient contact information to mail a letter. The School of Medicine has also established a dedicated, toll-free call center to answer questions that individuals may have about the incident, available at 1-855-503-2708, Monday through Friday, from 8:00 a.m. to 5:30 p.m. Central Time. For those whose Social Security numbers are included in the email accounts, the School of Medicine is offering complimentary credit monitoring and identity protection services. The School of Medicine also recommends that affected individuals review statements they receive from their health insurers or healthcare providers. If they see charges for services they did not receive, they should contact the insurer or provider immediately.
To help prevent something like this from happening in the future, the School of Medicine has reinforced education with its staff regarding how to identify and avoid suspicious emails and is making additional security enhancements to its email environment.
Additional information is available here on the School of Medicine’s website.