What happened? The names, addresses and Social Security numbers of about 51,000 patients of St. Vincent Indianapolis Hospital were made available on the web because of a security lapse by a third-party vendor.
What was the response? The hospital notified all victims by letter and is providing free credit-monitoring service for one year and a free credit report. The patient data was removed from the web and the hospital terminated its relationship with the vendor.
Details: The compromise occurred when Verus, a subcontractor developing a billing site for the hospital, accidentally made the information public from a test website when changing a server. The data could be found by a web search.
Quotes: “We have no confirmation that any patient’s personal information was accessed, retrieved or compromised in any way,” said Johnny Smith, St. Vincent’s spokesman. “We have terminated our relationship with Verus.”
“For the people whose data was involved, statistically they can sleep well tonight,” said Fred Cate, director of the Center for Applied Cybersecurity research at Indiana University.
For help: Victims can sign up for free credit-monitoring service from CSIdentity by going to http://www.csidentity.com/stvincent/
Source: The Indianapolis Star, July 25, “Data lapse involved 51,000, St. Vincent says”