St. Joseph Health System officials said Tuesday that more than 405,000 patient and employee records stored on a system server were subject to a two-day data security attack in mid-December.
Tim Ottinger, vice president for the regional health system, said the security breach started Dec. 16 and was discovered two days later by St. Joseph IT employees, who immediately took the server offline.
A large majority of the hacked data consisted of patient records containing names, medical information, Social Security numbers, dates of birth and possibly addresses, Ottinger said.
He said some of the data contained former and current employee information, including bank accounts.
"We are very sorry," Ottinger said. "We regret the attack and the result and the potential of exposure to people's information."
The server accessed, which was just one of many within the system, was comprised of patient and employee data from St. Joseph Regional Health Center in Bryan, Burleson St. Joseph Center, Madison St. Joseph Health Center, Grimes St. Joseph Health Center and St. Joseph Rehabilitation Center.
As of Tuesday, Ottinger said, St. Joseph officials had not received any reports of unusual activity from patients or employees whose information was compromised. All are being sent notification letters informing them of the incident.
Ottinger said forensic investigators were unable to determine if any of the data was extracted by the unauthorized parties.
The investigators were able to identify the primary IP address involved and traced it back to China, he said, later adding that the FBI was contacted and has opened a case file on the incident.
Anyone whose information was stored on the server was automatically enrolled in free identity protection services for a year and the hospital is also providing them an opportunity to enroll in a free triple-bureau credit monitoring service, Ottinger said.
Additionally, a call center has been set up for St. Joseph patients and employees who want to find out if their information was on the server or to inquire about identity protection. The number for the center, which will operate from 8 a.m. to 8 p.m. Monday through Saturday, is 855-731-6011.
Since the data attack, Ottinger said, 10 security measures have been implemented as a means of preventing a similar incident in the future. However, Ottinger declined to discuss any security modifications or additions that have taken place, saying he didn't want to provide hackers with information they could potentially use in their favor.
St. Joseph IT employees are persistently at work fighting off digital intruders, Ottinger said.
"In talking to our chief information officer, I learned there are hundreds if not thousands of attacks every single day in our system," he said. "There's a constant number of people out there trying to get into the system and trying to access information."
Ottinger said notifying individuals who potentially were affected is a requirement under Federal Trade Commission regulations.
He stressed that St. Joseph would not be sending out notifications via email and urged anyone who received an email from someone claiming to represent St. Joseph in relation to the incident to contact the health system.