Sentara Healthcare notifies patients after vendor is hacked
A third-party vendor serving Virginia-based Sentara Healthcare suffered a cyberattack, resulting in the 12-hospital delivery system sending breach notification letters to approximately 5,454 affected patients.
Law enforcement informed Sentara of the breach on Nov. 17, 2016, and a Sentara investigation pinpointed the vendor, which it declined to identify in its announcement, as the target. Healthcare organizations often learn of cyberattacks as police in the course of investigating an incident find other facilities that also were affected. Police, Sentara and the vendor continue to investigate the incident, according to the notification letter.
The vendor does not provide direct care to patients, according to a Sentara spokesperson; it provides information reporting and data benchmarking services. With the investigation ongoing, the organization will not provide additional information about the vendor or its current relationship with the vendor.
The compromised patient information “relates to vascular and/or thoracic procedures that took place between 2012 and 2015 at a Sentara hospital in Virginia, and was inappropriately accessed,” the organization has informed patients.
Data at risk includes patient names, dates of birth, Social Security numbers, medical record numbers, procedures, demographic information and medications.
Affected individuals are being offered one year of credit monitoring and identify theft protection in the ProtectMyID Alert service of Experian. The vendor, according to Sentara, is enhancing its security posture.