Nebraska Medicine and the University of Nebraska Medical Center have begun notifying patients and employees whose personal information may have been involved in a data security incident last fall.
The incident may have impacted about 219,000 people in Nebraska and other states, health system officials said in a statement. However, an investigation that began in late September found no evidence that individuals’ personal information has been used to commit fraud or identity theft as a result of the incident.
The investigation began on Sept. 20 when the health system’s information technology team detected unusual activity on its systems. The team immediately isolated potentially impacted devices and shut off select systems with the goal of minimizing disruption to patients. Nebraska Medicine and UNMC also notified law enforcement and engaged computer forensic experts to assist in the investigation.
The incident led to the postponement of patient appointments for a time and required staff in the system’s hospitals and clinics to chart by hand.
The investigation found that an unauthorized party gained access to Nebraska Medicine and UNMC’s shared network between Aug. 27 and Sept. 20. The party deployed malicious software, or malware, and acquired copies of some patient and employee information held on the systems.
The incident also affected a limited number of patients seen at Faith Regional Health Services in Norfolk, Great Plains Health in North Platte and Mary Lanning Healthcare in Hastings and whose information was in the Nebraska Medicine/UNMC network.
For some patients, the incident involved one or more items of information such as their name, address, health insurance and clinical information. A limited number of patients’ Social Security numbers were affected. The incident, however, did not result in unauthorized access to the health system’s shared electronic medical record application.
About a week later, another incident struck a major hospital chain in the United States.
Universal Health Systems, one of the largest health care systems in the country, operates more than 250 hospitals and other clinical facilities, including many behavioral health care facilities. None of them are in Nebraska or Iowa.
That incident, too, left doctors and nurses to rely on paper backup systems.
Later in the fall, the FBI and other federal agencies reportedly warned of the potential for more cyberattacks on hospitals.
Nebraska Medicine’s notification letters include guidance on how patients can protect their information. Nebraska Medicine and UNMC are providing all individuals whose Social Security number or driver’s license were accessed with complimentary credit-monitoring and theft-protection services.
Patients also are asked to review statements from their health care providers and insurers and contact them immediately if they see charges for services they did not receive.
Patients with questions about the incident can call the call center established to address them Monday through Friday from 8 a.m. to 5:30 p.m. at 1-855-763-0482. More information is available at nebraskamed.com/PrivacyIncident.