GLENWOOD SPRINGS —The personal information of more than 5,000 people who have been patients at Valley View Hospital may have been compromised by a computer virus that infected the hospital’s computer system, according to officials there.
Hospital information technology (IT) officials discovered the virus in early January, said Stacey Gavrell, Valley View Community Relations director, and steps were taken immediately to quarantine the virus and begin the laborious process of determining what happened.
A forensic IT team was brought in to conduct the investigation, she said, and the results so far indicate that:
• From Sept. 11, 2013, to Jan. 23 this year, the virus took screen shots of Internet web pages off selected hospital computers and stored the information in hidden, encrypted files within the hospital’s system.
• Personal information pertaining to about 5,400 patients was found in the files. “No medical information was collected,” said Gavrell.
• In some cases, only names were in the files. In others, names, bank account and credit card information, dates of birth, phone numbers, Social Security numbers and other information was present, she said.
It is not clear whether the information ever left the system.
“The hospital has been unable to confirm whether any data was improperly accessed by or transmitted to an outside entity,” according to a prepared statement released by the hospital.
“We apologize for any inconvenience or concern that this may cause our patients, employees and their families,” said Gary Brewer, chief executive officer of the Valley View Hospital Association. “We take our responsibility to protect patient information very seriously.”
Gavrell did not know whether the data collected in the encrypted files was limited to people who were patients during the time when the virus was active or whether patients outside that time frame might also have been affected. She also did not know how much the hospital has spent addressing the issue.
The hospital has taken the following steps to protect individuals who may have files that were potentially compromised:
• Notification letters, which will be mailed Monday, March 17, are to be sent to all individuals who may have been affected. The letter will outline steps they can take to mitigate a potential impact.
• The hospital has established a dedicated data virus information line — 888-236-0444 — to assist people with questions and to inform them how they can protect themselves. It is available 7 a.m. to 7 p.m. beginning Saturday, March 15, and continuing Monday through Friday. Spanish-speaking operators are available.
• The hospital is offering free identity- and credit-protection services for a year. More information is available at www.vvh.org or by calling the virus information line above.
The hospital also has upgraded and expanded its IT security and procedures, Gavrell said.