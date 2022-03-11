Some Montrose Regional Health employees’ email accounts were breached during a roughly three-month period last year, prompting a security review and — “out of an abundance of caution” — an alert to the public.
“We have no evidence of misuse of information as a result of this incident,” Katheryne Mattoon, director of Quality, Risk and Compliance at the hospital, said Friday, a few days after the hospital notified possibly affected people by mail.
“Additionally the type of information potentially affected is not generally associated with instances of identity theft or harm.”
Montrose Regional Health on Feb. 25 noticed unusual activity in an employee email account. With third-party experts, the hospital looked into it and determined there had been unauthorized access to some employee email accounts between Aug. 2 and Oct. 26, 2021.
The review could not determine whether specific information within those accounts had been accessed, but did determine that the accounts may have contained such patient information as names and/or information such as status, internal patient account number, service date, treatment cost, procedure code, provider name or health insurance provider.
“We were unable to definitively determine how the incident occurred; however, these incidents often occur from phishing emails,” Mattoon said. “We are notifying individuals in an abundance of caution.”
According to a notice it posted at montrosehealth.com, the hospital reset account passwords and is reviewing policies and procedures. Mattoon declined to provide specific details, citing security needs.
On Monday, March 8, the hospital mailed out letters to people who may have been affected; these should have reached everyone within the next few days if they’ve not already arrived.
People can receive more information at the MRH dedicated assistance line, 877-621-2423, Monday - Friday, 7 a.m. - 7 p.m., or write to the hospital at 800 S. Third St., Montrose, CO 81401, attention Quality Department.
The hospital said in its online notice that although there is no evidence that patient information has been misused, those affected should review account statements and explanation of benefits forms for suspicious activity or errors.
Individuals are entitled to one free credit report each year from either TransUnion, Experian or Equifax. Visit ww.annualcreditreport.com or call 877-322-8228 for more information.
The hospital’s notice also says individuals can place a fraud alert on a credit file at no cost and if they are victims of identity theft, they are entitled to an extended fraud alert that lasts for seven years.
Alternatively, they may place a “credit freeze” on a credit report to prevent credit, loans and services from being approved without consent. Under federal law, they cannot be charged to either place or lift a freeze on their credit reports.
The Federal Trade Commission accepts reports from those who learn their information has been misused. To file a complaint, visit www.identitytheft.gov or call 877-438-4338. Known or suspected identity theft should also be reported to local law enforcement agencies. Dispatch may be reached at 970-249-9110.
“Unfortunately, no organization, whether it be public or private, is immune from the constant threat of cyber incidents,” Mattoon said. “However, we are committed to continuing to take the necessary steps to further protect our patient information.”