The people who conducted a cyberattack on Capital Region Medical Center accessed some patients' records.
CRMC sent out a news release concerning the Dec. 17 attack late Wednesday morning, providing a few more details about the attack, and information for patients and providers, should they think their information was accessed.
The attack left the hospital nearly mute for more than two weeks.
"While some services remain impacted, we have made significant progress on restoring systems," the release said. "Our website is back online, including access to the patient portal and online bill pay."
The hospital and outside agencies continue to investigate the incident. CRMC is reviewing files to find out whose records and what information hackers accessed and will notify any individuals affected "in accordance with applicable law."
"Applicable law means that CRMC will comply with any legal obligation to notify impacted individuals, including every applicable state data breach notification law and HIPAA's Breach Notification Rule," Lindsay Huhman, director of Marketing and Communications, said in an email. "The investigation into the scope of the incident remains ongoing. We are reviewing files to determine whose and what specific information was accessed and will notify those individuals in accordance with applicable law. This review process is extensive and may take time to complete. In the meantime, we encourage individuals to remain vigilant by monitoring their accounts and free credit reports."
The hospital encourages patients and employees to review their statements of unusual activity. It has provided a short "Frequently Asked Questions" page on its website with more information about the attack. For further questions about the incident or the administrative support, the hospital set up a call center at 855-618-3184. The center is available 8 a.m.-5:30 p.m. Monday-Friday.
As a health care provider, CRMC is required to keep some records for legal and regulatory reasons, according to the FAQ page. That may include health information of patients and employee personal information. The hospital takes its responsibility to protect personal data seriously, and continues to take all appropriate measures.
CRMC encourages patients and employees to remain vigilant in reviewing statements and free credit reports, review health statements, place fraud alerts or security freezes on credit files, and report suspicious activity.
Anyone who believes they are victims of fraud or identity theft should file a police report and get a copy of the report to submit to creditors and others who may require proof a crime to clear up their records.
The police report may also provide you with access to services that are free to identity theft victims.
"There is still more work to be done, and our IT staff is working diligently to bring systems back online safely and securely," the release said.