RICHMOND, Va. - Approximately 655,000 patients of the Bon Secours Health System are being notified their information may have been compromised during an incident with a contractor in April.
According to a release, R-C Healthcare Management, a company doing work for Bon Secours, inadvertently left files containing patient information accessible on the internet while attempting to adjust their network settings from April 18th to April 21st.
The oversight was discovered by Bon Secours staff members on June 14, and they immediately notified R-C Healthcare to secure the files.
In a statement from R-C Healthcare, the CEO and President K. Michael Webdale told News 3,
"Upon learning of the incident R-C promptly hired a highly regarded outside forensic investigator. The investigator confirmed the incident has been fully remediated. All R-C customers who might be affected have been notified of the situation and its resolution. "
Bon Secours officials told News 3's Merris Badcock they had to wait to notify patients about the breach, until their internal investigation was complete and they could notify the right people.
A 'certified ethical hacker', Charles Tendell told News 3 he thinks the company acted appropriately, even if it seems like a long time to patients.
"A lot of times organizations will hold off on telling people about breaches until they've been confirmed, until they've talked to the appropriate legal people," Tendell told News 3 in a Skype interview.
Information contained in the files may have included patient name, health insurer’s name, health insurance identification number, social security number and limited clinical information.
Keep scrolling for the number one thing you don't want hackers to have.
According to Tendell, your social security number is the one thing you do not want hackers to get.
"Your social security number is usually the one they can't get from anywhere else, other than the IRS or one of these serious breaches," Tendell said.
Medical records were not included, and Bon Secours has no knowledge that the information contained within the files has been misused in any way.
Officials with Bon Secours told News 3 this was not a data breach, but Tendell says that is not entirely true.
"Records exposed means this piece of information was available on the internet," said the certified ethical hacker. "A data breach means that someone hacked into the system. In the end it means the same thing for the basic consumer: your data is out there on the internet."
Of those affected, a spokesperson for Bon Secours says 435,000 patients were affected in Virginia. Other patients affected are located in South Carolina and Kentucky.
According to Tendell, there are three things you should do if you think your data might have been compromised:
- Contact the three major credit monitoring bureaus (Equifax, Experian, and Transunion), and let them know to alert you to any activity.
- Contact your banks and other financial institutions and let them know to alert you to any suspicious information.
- Review your transactions. Tendell says keep an eye for for minor transactions from random online websites, in amounts like $1.25 and $1.50.
Letters have been sent to all patients who may have been affected. Any patients with concerns or questions may call toll free at 1-888-522-8917, 9 a.m. – 9 p.m. EST, Monday-Friday.
Bon Secours operates several medical facilities in Hampton Roads, including facilities in Chesapeake, Norfolk, Newport News, Portsmouth, Suffolk and Virginia Beach.