The incident happened over Labor Day weekend, and it is possible that the hackers accessed names, addresses, birth dates, and Social Security numbers of about 230,000 patients and their families, as well as a database containing the bank-account information of about 12,000 donors.
The hospital began notifying the families on Wednesday -- seven weeks after the breach was discovered -- by sending out 10,000 letters, followed by 120,000 more on Friday. The remaining 100,000 notifications will be sent Monday.
"Everyone that's going to be contacted should know by Wednesday,'' said Bob Howard, the hospital's director of planning.
The hackers gained access to the hospital's computer network during an expansion of the system.
"We don't know that anybody was actually affected,'' Howard said. "All we know is, it's possible. The information was visible for the two hackers who were able to get into the system.... We don't even know if they took anything.''
But those whose personal or financial information may have been exposed are at very real risk, said Jay Foley, founder of the nonprofit Identity Theft Resource Center. Stolen Social Security numbers can be used to open new bank accounts or new loans in the victims' names. Stolen bank account information can be used to drain bank funds or freeze accounts.
``My question would be, why did the hospital wait so long,'' Foley said from his office in San Diego. ``The first place they should have called when they suspected a breach was the FBI.... That kind of delay is unacceptable.''
The breach was detected on Sept. 6, but the hospital did not contact the FBI until Oct. 20.
"I don't know that it could have been any sooner,'' Howard said.
The hospital didn't contact the FBI initially because its security consultants didn't suspect a major problem.
"The first report they gave us said, quote-unquote, you dodged a bullet,'' Howard said. "That's where we were at then.''
But about three weeks later, near the beginning of October, "we were informed it was a little more serious than we had initially been led to believe,'' Howard said.
At that point, the hospital realized that "it was theoretically possible'' that patients' personal information had been exposed to an outside threat and hired an expert to build a database of the names of the patients and donors at risk, which took several more weeks.
"I know that appears to be a long time, but it was as fast as we could get the information,'' Howard said.
According to a statement on the hospital's web site (www.akronchildrens.org) computer security consultants hired by the hospital "found no evidence that any specific data was downloaded, tampered with or compromised; however, the opportunity to view the data existed.''
The breaches did not access any information related to emergency room visits, hospital stays, laboratory work or radiology, "that we know of,'' Howard said.
Two groups are potentially most affected -- patients' families and people who donated money to the hospital.
The patient information accessed by the hackers included billing information from office visits to doctors employed by Children's Hospital. Those records contained personal information, such as Social Security numbers, but did not contain any medical or financial information, the hospital said.
The donor database included bank-account information and routing numbers, though it did not contain Social Security numbers. Credit card information attached to the donor files was encrypted and unreadable to the hackers.
Howard said the hospital kept donor bank-account information so it could answer questions when donors called to ask if or when a check had been cashed.
Most of the exposed information is about 3 years old or less, Howard said, though it's possible the data could be as old as 7 to 8 years in some cases.
To prevent this from happening again, the hospital said, it has "reviewed and enhanced'' its security procedures, while hiring a second security company to test those new procedures.
In 2005, according to the Identity Theft Resource Center, there were 151 incidents nationwide in which company computers were breached to expose personal or financial information of more than 57.7 million people.
|
