Hospital donor files compromised

March 6, 2008

By Markian Hawryluk and Betsy Q. Cliff, The Bulletin

A computer virus may have exposed to outside eyes the names, credit card numbers, dates of birth and home addresses of more than 11,500 individuals who donated to Cascade Healthcare Community, the parent company of St. Charles in Bend and Redmond.

The virus penetrated the computer system Dec. 11, and the hospital's information technology staff believed they had rebuffed it. But Feb. 5, they detected suspicious activity in the system and called in computer forensic experts to investigate.

By Feb. 20, it became clear the information had been made vulnerable by the virus.

On Wednesday, the hospital announced the data may have been exposed. The data breach is a concern due to the potential for identity theft.

Hospital officials say it is not clear whether any of the information was seen by individuals outside the hospital. There is no evidence that patient health information was compromised, officials said.

"Although the investigation provided no indication that information was misused, CHC is working quickly and diligently to provide all affected members of our community with leading credit monitoring service at no charge," Cascade Healthcare President and CEO Jim Diegel said in a prepared statement.

"We want to express our sincere apologies to those community members who have trusted us with their information for the inconvenience and worry this situation may have caused."

Hospital officials said they have had no reports of any of the credit card data being misused. Cascade Healthcare has contracted with a credit monitoring service that will provide affected individuals with 12 months of credit monitoring at no charge. Individuals whose records were involved will receive a letter with further instructions by the end of next week.

"People who do not get a letter regarding this should assume that none of their files were exposed," said Joe Smith, vice president of strategic planning for the hospital system. "The letter is very clear about what they should do. If they do not get a letter, they should not be concerned."

The number affected is only a small portion of the total number of contributors, said Cascade Healthcare spokeswoman Janette Sherman.

Although the hospital system uses a single, integrated computer system, Smith said the donor records were in a separate portion from medical and billing records.

What's next

"A virus can be a very insidious thing," Smith said. "We're running our virus sensitivities way up there, even at the expense of slower response times on the system, and we are looking at putting a redundant virus system on top of that other one."

Officials said a list of employee user names and passwords was also vulnerable for a short period of time, though the hospital is not sure exactly how long. That vulnerability could have allowed an unauthorized person to log into the network but not to get to applications that store patient data, according to Sherman.

All employees were required to change their passwords Feb. 21 to prevent unauthorized access. That rendered the old passwords "totally useless," Smith said.

The hospital system is still unsure how the virus was introduced and would not release the name of the virus.

"We don't really know exactly the origin of it," Smith says. "The only thing we do know is it probably came through a Web browser, a thumb drive or some other external device. We don't know who did it, whether it was intentional, whether it occurred as a result of other viruses that are constantly attacking."

A report was filed with Bend police, but officials acknowledged they may never know who is responsible for the virus. Officers familiar with the incident could not be reached for comment.

Smith said computer systems are routinely exposed to viruses but most are caught by anti-virus software. The hospital system is planning on installing a second level of virus protection to minimize the chance of a reoccurrence.

Information technology staff at Cascade Healthcare were alerted to the problem when they noticed a large amount of data being transferred back and forth within the computer system. Outside forensic experts then confirmed the virus had potentially exposed the information.

Under a state law implemented last fall, Cascade Healthcare Community is required to notify all those who may have been affected as soon as possible, though the law doesn't specify a time period.

"You have to notify people and let them know their information may have been compromised," said Diane Childs, the identity theft outreach coordinator for the Oregon Department of Consumer and Business Services.

Staying a step ahead

Childs said consumers, once they receive notification, should look more vigilantly at their bank statements and credit card statements, and cancel credit cards if they see suspicious activity. They can also receive a free copies of their credit reports. The letter from Cascade Healthcare will tell them how to do that.

There are no state-level departments that investigate security breaches like this one, Childs said. It would be up to local law enforcement, she said.

With the increasing digitalization of financial and medical data, hospitals and other institutions are involved in a constant fight to stay a step ahead, or at least not too many steps behind, computer hackers and viruses.

The privacy Web site,, has chronicled the breach of more than 218 million records since 2005, in a less-than-exhaustive list that includes a number of hospitals and health insurance companies.

A 2006 survey by Phoenix Health Systems, which provides consulting on compliance with federal privacy laws, found that nearly 40 percent of health care providers and one-third of insurers had reported a data security breach in the previous six months.

In late 2005, computer disks and tapes containing the names and personal information of 365,000 patients of Portland-based Providence Home Services were stolen from an employee's car. Last year, Empire Blue Cross and Blue Shield in New York began notifying some 75,000 members that a CD containing their personal data had gone missing. The disc was recovered four days after the warnings went out.

main page ATTRITION feedback