A Montana healthcare provider that fell victim to a phishing scam has notified 129,000 patients that their personal information was exposed.
According to Flathead Beacon, Kalispell Regional Healthcare (KRH) informed all its patients by letter on Tuesday of the breach, brought about by a sophisticated cybersecurity attack that occurred in June.
As result of the breach, the name, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating and referring physicians, medical bill account number, and/or health insurance information of every patient was exposed.
The incident may have also made public the Social Security numbers of an estimated 250 patients.
In a statement released on Tuesday, KRH chief executive officer and president Craig Lambrecht wrote: "Although there is no indication that the information was misused, we have mailed notification letters to potentially-impacted patients to make them aware of the event and the steps they can take to protect their information.
"All notified patients are being offered complimentary fraud consultation and identity theft restoration services. In addition, the notification letters may also offer affected individuals 12 months of web and/or credit monitoring services at no charge, depending on what information was involved for that individual."
KRH uncovered the breach after learning that multiple employees had fallen victim to an email phishing scam, unwittingly providing their workplace email login credentials to threat actors.
Lambrecht wrote that after learning of the "highly sophisticated" attack, KRH immediately disabled the employees’ email accounts, notified federal law enforcement, and engaged digital forensic firm Kroll to launch an investigation into what happened.
Kroll found that unauthorized access to some patients’ information may have occurred as early as May 24. KRH advised patients to review account statements, report suspicious activity to the authorities, and, if necessary, place security freezes on credit files.
KRH employs more than 4,000 people across Kalispell Regional Medical Center, North Valley Hospital, and The HealthCenter and serves a population of 600,000.
Director of IT Melanie Swenson said that an annual threat assessment of KRH's IT system carried out by CynergisTek in autumn 2018 had ranked KRH as among the top 9% of healthcare organizations in the country for cybersecurity compliance.