Computer virus exposed records at Valley View
Valley View Hospital in Glenwood Springs said Friday a computer virus compromised personal but nonmedical information regarding 5,400 patients.
The hospital found the virus in early January and there is no evidence that the data was accessed or transmitted to an outside entity, it says. However, it is taking steps including notifying those potentially affected and providing them with protection services and programs, while also upgrading its computer security.
In a statement on its website, the hospital said after the breach was discovered, an information technology forensic firm was brought in and determined that a sophisticated virus captured screen shots of Internet web pages and stored the images in an encrypted, hidden system file that could have been accessed by an outside entity.
“Upon this discovery on January 23 … the hospital immediately shut down incoming and outgoing Internet traffic to quarantine all information. Steps were taken to remove the virus from the system,” the hospital said.
Two days later, the forensic firm reported to the hospital that the information in the hidden folder “varied for each affected individual but included individual names and in some cases addresses, date of birth, telephone numbers, social security numbers, credit card information, admission date, discharge date and patient visit numbers. No medical information was included.”
Hospital spokeswoman Stacey Gavrell said it was determined the virus first struck on Sept. 11, but she doesn’t know if patients treated before then were affected.
The hospital will send out letters Monday to all of those potentially impacted. It established an information line, 888-236-0444, to help answer questions and let people know how they can protect themselves. It will be available from 7 a.m. to 7 p.m. on Saturday, and then continuing Monday through Friday, and Spanish-speaking operators will be available.
Valley View also is offering free identity and credit protection services for a year to affected patients, Gavrell said.
The hospital has launched a new, upgraded and expanded information security program.
“We apologize for any inconvenience or concern that this may cause our patients, employees and their families,” Chief Executive Officer Gary Brewer said in the hospital’s statement. “We take our responsibility to protect patient information very seriously. We have responded to this situation as quickly and comprehensively as possible, and we continue to monitor progress as we take steps to inform and support those potentially affected by this incident.”
Asked about why the hospital didn’t go public with the problem until this week, Gavrell said it first had to finish decoding information “to get to a place to know which patients were impacted.”
“We’ve actually worked as quickly as possible. It’s been an extensive process to be able to go through all of this,” she said.