ValleyCare: Personal Data Stolen from Local Patients

YOUNGSTOWN, Ohio -- ValleyCare Health System of Ohio today reported that "imited personal identification data belonging to some patients who were seen at physician practices and clinics affiliated with ValleyCare Health System of Ohio over the past five years was transferred out of our organization in a criminal cyber attack by a foreign-based intruder."

The ValleyCare statement followed this morning's filing with the U.S. Securities and Exchange Commission by ValleyCare's parent, Community Health System of Tennessee, that revealed the cyber attack (READ STORY).

CHS said its computer network had been hit in April and June. CHS operates ValleyCare Health System of Ohio, which operates three hospitals in Mahoning and Trumbull counties, and Sharon Regional Health System in Sharon, Pa.The transferred information did not include any medical information or credit card information, but it did include names, addresses, birthdates, telephone numbers and social security numbers, the company said.

The transferred data was non-medical patient identification data -- including patient names, addresses, birthdates, telephone numbers and Social Security numbers -- related to CHS’ physician practice operations. The breach affects approximately 4.5 million individuals who, during the past five years, were referred for or received services from physicians affiliated with CHS.

The affected data did not include patient credit card, medical or clinical information, CHS said.

Said ValleyCare in its statment, "We take very seriously the security and confidentiality of private patient information and we sincerely regret any concern or inconvenience to patients. Though we have no reason to believe that this data would ever be used, all affected patients are being notified by letter and offered free identity theft protection.

CHS said it learned of the attack in July and has since worked with federal law enforcement authorities in connection with their investigation and possible prosecution of the parties determined to be responsible for the attack. In addition, it is providing “appropriate notification to affected patients and regulatory agencies as required by federal and state law” and will offer identity theft protection services to individuals affected by the attack.

“While this matter may result in remediation expenses, regulatory inquiries, litigation and other liabilities, at this time, [CHS] does not believe this incident will have a material adverse effect on its business or financial results,” the company said in its SEC filing.

Added ValleyCare in its statement, "Many American companies and organizations have been victimized by foreign-based cyber intrusions. It is up to the Federal Government to create a national cyber defense that can prevent this type of criminal invasion from happening in the future."

Published by The Business Journal, Youngstown, Ohio.
CLICK HERE to subscribe to our twice-monthly print edition and to our free daily email headlines.