Capital Region Medical Center announced late Friday afternoon it is notifying patients that their information may have been involved in a December 2021 cybersecurity incident.
As the News Tribune reported at the time, the incident left the Capital Region network and phone systems down for several days.
The hospital discovered a disruption Dec. 17, 2021, to its network systems. It disabled its network as a security measure and initiated an investigation. Investigators determined the breach was because of a security incident.
At the time, it was unclear if patients' personal information was breached, but hospital officials said if that occurred, they would "notify those individuals in accordance with applicable laws."
On Friday, Capital Region officials said the investigation concluded that an unauthorized third party gained access to files containing personal and health information.
"Based on the investigation to date, while there is no indication that the electronic medical health record database was accessed, CRMC has determined that personal and health information relating to some patients was contained in files accessible to the unauthorized third party," according to a hospital news release. "Such information included first and last name, date of birth, full mailing address, medical information, and health insurance information."
For some patients, Social Security numbers, driver's license numbers and financial account information may have been accessed.
"While there is no evidence of any instances of fraud or identity theft as a result of this incident, out of an abundance of caution, beginning today (Friday), CRMC will begin notifying all current and former employees, and patients whose information was involved and for whom CRMC has a valid mailing address to provide additional information and resources to help protect their information," according to the release. "For those individuals whose Social Security numbers or driver's license numbers were involved, CRMC is offering one year of credit monitoring at no cost."
Capital Region officials recommend affected patients review any statements they receive from their health care providers or health insurers. Those who find any medical services that they did not receive, should call their provider or insurer immediately.
"CRMC deeply regrets that this incident occurred and for any concern this may cause," the release concluded. "CRMC continues to evaluate its security practices, and to help prevent something like this from happening again, CRMC will continue to identify opportunities to implement additional cybersecurity measures."
For individuals seeking more information or who have questions, there is a dedicated toll-free helpline set up specifically for this purpose. The number is 855-618-3184; it can be called 8 a.m.-8 p.m. Monday through Friday.
More information is also available on Capital Region's website at crmc.org/patients-and-visitors/securityupdate/.