CHI Health says cybersecurity breach may have exposed some patients’ data | Local

CHI Health is notifying patients that one of its vendors had a "cybersecurity event" that may have exposed some patients' protected health information.

The data involved includes names, Social Security numbers, medical codes, addresses, phone numbers, email addresses dates of birth and gender.

The vendor, MCG Health LLC, determined on March 25 that an unauthorized party had previously obtained personal information that matched data stored on MCG's systems, CHI Health officials said in a press release.

MCG, a Seattle-based technology company, provides patient care guidelines to health care providers and health plans across the United States, including CHI Health.

The company notified CHI Health officials on April 22 that some of its patients' data may have been involved. CHI Health officials said in their statement that they were hopeful at first that their patients' information had not been accessed or disclosed. However, the health system determined May 11 that "there is a likelihood that the protected health information of some of our patients may have been compromised."

No information was available indicating how many CHI patients may have been affected. A CHI Health official referred questions to MCG, which could not be reached immediately Tuesday for comment.

MCG did not specify in a June 10 notice of the event on its website how many of its customers may have been impacted. The Sioux Falls Argus Leader reported Monday that the information of about 700 patients of Avera McKennan Hospital and University Health Center had been accessed by an unauthorized party. 

CHI Health officials said that MCG will notify affected patients by letter on the health system's behalf.  

MCG, according to the release, has retained a forensic investigation firm to assist and also is coordinating with the FBI.

While the exact nature of the event was not specified, data breaches and cyberattacks targeting health systems have increased in the past several years. The U.S. Department of Health and Human Services tallied 618 breaches and attacks affecting at least 500 people in 2021.

In 2020, an investigation found that an unauthorized party gained access to Nebraska Medicine's and UNMC’s shared network. The party deployed malicious software, or malware, and acquired copies of some patient and employee information held on the systems. While the data of thousands of people may have been involved, an investigation found no evidence that individuals’ personal information had been used to commit fraud or identity theft as a result of the incident.

MCG is offering affected CHI Health patients identity protection and credit monitoring services for two years at no cost. The company also has set up a call center to answer questions related to the event. The call center is available at 866-475-7221 Monday through Friday from 8 a.m. to 6 p.m. and Saturday and Sunday from 10 a.m. to 3 p.m. Additional information is available on MCG's website, mcg.com. Look for "Notice About Patient and Member Data."

CHI Health officials encouraged patients to review account statements and monitor free credit reports. Americans are entitled under federal law to one free credit report a year from each of the three nationwide consumer reporting agencies. To order a report, visit annualcreditreport.com or call toll-free 877-322-8228.