If you’ve gotten a security notice in the mail recently you are not alone. Two different hospital system groups in our area are warning patients about a cybersecurity hack where confidential patient information was leaked.
Harris Health System data breach
Recommended Videos
A KPRC 2 viewer sent us a letter he got from Harris Health System saying his information was compromised.
This is something Harris Health System was warning about a few weeks ago. The breach involves software Harris Health uses called MOVEit. The software allows the hospital system to send a receive files. MOVEit customer data was taken across the United States and around the world.
“On June 2, 2023, Harris Health learned that a vulnerability in the MOVEit software allowed an unauthorized actor to access its MOVEit server. Upon learning of the vulnerability, Harris Health immediately implemented security safeguards to address the vulnerability and secure its MOVEit server. Harris Health also promptly launched an investigation into the nature and scope of the event with the assistance of third-party cybersecurity experts,” the Harris Health statement reads.
“The unauthorized access to our MOVEit service happened on May 28, 2023, during which time certain files were downloaded from that system.”
The letter explains that customer data included address, date of birth, medical record number, driver’s license number or other government-issued ID numbers. Patients are being asked to review statements from health insurers and providers to check for charges for services they did not get.
What is Harris Health doing about data breach?
In a statement, Harris Health says they are committed to maintaining the privacy and security of its patients’ information.
“To help prevent something like this from happening in the future, Harris Health has implemented all patches that the provider of MOVEit has recently made available and taken other remediation steps to secure its MOVEit server. Harris Health will continue to look for ways to enhance its secure file transfer protocols.”
(MOVEit did release a patch and software upgrade to correct the issue.)
On July 21, 2023, Harris Health began mailing letters to individuals whose information was identified through our review and for whom Harris Health has sufficient contact information. Harris Health is also offering individuals whose Social Security number was involved complimentary credit monitoring and identity theft protection services.”
Harris Health also established a dedicated call center for patients to call with questions. If you believe you are affected, but do not receive a letter by August 31, 2023, please call 1-866-347-7885, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time, excluding holidays.
HCA Healthcare data security incident
A second recent (unrelated) data security breach impacts patients with HCA Healthcare. HCA operates 182 hospitals and 2,300+ sites across 20 states. In Houston that list includes Women’s Hospital of Texas, Texas Orthopedic Center and the branches of HCA Houston hospitals in cities like Clear Lake, Kingwood, Conroe, Pearland, Tomball, N Cypress and more (see full Houston area list here).
Here’s what the HCA privacy notice says about the data breach: “HCA Healthcare recently discovered that a list of certain information with respect to some of its patients was made available by an unknown and unauthorized party on an online forum.”
The list includes:
- Patient name, city, state, and zip code
- Patient email, telephone number, date of birth, gender
- Patient service date, location and next appointment date
HCA says the list does not include payment information or social security numbers.
“On July 14, 2023, we began emailing patients to provide them with information about the data security incident and to encourage them to be vigilant about any suspicious or unexpected communications from an unfamiliar source or from anyone claiming to be affiliated with HCA Healthcare. Notification letters to impacted patients are being sent by first class mail on a rolling basis, according to states of residence and applicable laws,” the HCA statement reads.
Patients can call (888) 993-0010 to ask any general questions and to confirm the legitimacy of any communication from anyone claiming to be affiliated with HCA Healthcare.
What should I do if my information was involved in a data breach?
Both healthcare systems say all patients impacted will be notified if their information is part of these security breaches. You can check your credit reports just in case. Amy Davis has helpful links for checking your credit reports and monitoring your accounts here.