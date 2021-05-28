ATTLEBORO — Sturdy Memorial Hospital paid an undisclosed ransom after patient information was hacked in early February, the hospital revealed late Friday afternoon.
Sturdy mailed letters Friday to patients whose information may have been compromised.
The hospital said it identified a data security “incident” on Feb. 9 that disrupted the operations of its information technology systems and involved some patient information.
“Sturdy immediately took steps to secure its systems, launched a thorough investigation with the assistance of a third-party forensic investigator, and notified law enforcement,” the hospital said in a prepared statement it emailed to The Sun Chronicle after 4 p.m. Friday.
In subsequent emails, hospital spokeswoman Kathi Hague said, “We paid a ransom to obtain assurances that the information acquired without authorization would not be further distributed and had been destroyed. We are not disclosing the amount of ransom paid. We reported the incident to the FBI.
“Sturdy is deeply committed to protecting the security and confidentiality of the information it maintains, and diligent efforts were made to notify as quickly as possible after completing the investigation of the incident and thorough analysis of the information that may have been involved.”
Through its investigation, Sturdy said it determined an unauthorized party gained access to some of its systems the morning of Feb. 9.
The hijacking of computer systems for ransom by criminal enterprises has plagued big companies for almost a decade. The hackers are most often traced back to Eastern Europe and, through viruses called ransomware, put freezes on a company’s computer system until a ransom is paid.
Earlier this month, a major East Coast gas pipeline was shut after criminals infiltrated the company’s computers. Colonial Pipeline ended up paying an undisclosed amount for the ransom but not before gasoline supplies in the southeastern part of the United States were disrupted for a few days.
On April 21, Sturdy’s review and analysis of the files involved in the incident determined information belonging to Sturdy patients was contained in the files, the hospital said.
The analysis also determined information associated with patients of other healthcare providers with which Sturdy previously partnered for the coordination of patient care was also involved. They included Harbor Medical Associates, South Shore Medical Center, and providers affiliated with South Shore Physician Hospital Organization.
The information may have included names, contact information such as addresses and phone numbers, dates of birth, Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, routing numbers and/or bank names, credit card numbers and security codes, Medicare health insurance claim numbers, medical history information, treatment or diagnosis information, procedure or diagnosis codes, prescription information, provider names, medical record numbers, Medicare/Medicaid numbers, health insurance information, and/or treatment cost information.
“Importantly, Sturdy’s electronic health record system was not involved in the incident,” the hospital said.
For individuals whose information may have been involved, Sturdy recommends they review statements they receive from their healthcare providers and contact the relevant provider immediately if they see services they did not receive.
Sturdy also recommends they review their financial statements for any unauthorized activity, and immediately report any such activity to their financial institution.
For eligible individuals whose Social Security numbers and/or driver’s license numbers may have been involved in the incident, Sturdy is offering credit monitoring and identity protection services through Experian at no charge.
“Sturdy takes this incident very seriously and sincerely regrets any concern this may cause,” the hospital said.
To help prevent future incidents, Sturdy said it has implemented additional safeguards and technical security measures to further protect and monitor its systems.
A dedicated call center has been established to answer any questions about the incident. It can be reached at 1-855-537-2087 from 9 a.m. to 6:30 p.m. Monday through Friday.
