Computer virus may have compromised Valley View Hospital patient information
March 15, 2014
Tips for online security
Be alert to impersonators: Make sure you know who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the Internet unless you’ve initiated the contact or know who you’re dealing with.
Safely dispose of personal information: Before you throw away a computer, get rid of all the personal information it stores. Use a wipe utility program to overwrite the entire hard drive. Before you dispose of a mobile device, check for information about how to delete information permanently and how to save or transfer information to a new device. Remove the memory or subscriber identity module (SIM) card.
Encrypt data: Keep your browser secure. To guard your online transactions, use encryption software that scrambles information you send over the internet. A “lock” icon on the status bar of your Internet browser means your information will be safe when it’s transmitted. Look for the lock before you send personal or financial information online.
Keep passwords private: Use strong passwords with your laptop, credit, bank, and other accounts. Be creative: think of a special phrase and use the first letter of each word as your password. Substitute numbers for some words or letters.
Don’t overshare on social media: If you post too much information about yourself, an identity thief can find information about your life, use it to answer “challenge” questions on your accounts, and get access to your money and personal information. Never post your full name, Social Security number, address, phone number, or account numbers in publicly accessible sites.
Clues your information was stolen
• You see withdrawals from your bank account that you can’t explain.
• You don’t get your bills or other mail.
• Merchants refuse your checks.
• Debt collectors call you about debts that aren’t yours.
• You find unfamiliar accounts or charges on your credit report.
• Medical providers bill you for services you didn’t use.
• The IRS notifies you that more than one tax return was filed in your name, or that you have income from an employer you don’t work for.
Source: Federal Trade Commission
GLENWOOD SPRINGS —The personal information of more than 5,000 people who have been patients at Valley View Hospital may have been compromised by a computer virus that infected the hospital's computer system, according to officials there.
Hospital information technology (IT) officials discovered the virus in early January, said Stacey Gavrell, Valley View Community Relations director, and steps were taken immediately to quarantine the virus and begin the laborious process of determining what happened.
A forensic IT team was brought in to conduct the investigation, she said, and the results so far indicate that:
• From Sept. 11, 2013, to Jan. 23 this year, the virus took screen shots of Internet web pages off selected hospital computers and stored the information in hidden, encrypted files within the hospital's system.
• Personal information pertaining to about 5,400 patients was found in the files. "No medical information was collected," said Gavrell.
• In some cases, only names were in the files. In others, names, bank account and credit card information, dates of birth, phone numbers, Social Security numbers and other information was present, she said.
It is not clear whether the information ever left the system.
"The hospital has been unable to confirm whether any data was improperly accessed by or transmitted to an outside entity," according to a prepared statement released by the hospital.
"We apologize for any inconvenience or concern that this may cause our patients, employees and their families," said Gary Brewer, chief executive officer of the Valley View Hospital Association. "We take our responsibility to protect patient information very seriously."
Gavrell did not know whether the data collected in the encrypted files was limited to people who were patients during the time when the virus was active or whether patients outside that time frame might also have been affected. She also did not know how much the hospital has spent addressing the issue.
The hospital has taken the following steps to protect individuals who may have files that were potentially compromised:
• Notification letters, which will be mailed Monday, March 17, are to be sent to all individuals who may have been affected. The letter will outline steps they can take to mitigate a potential impact.
• The hospital has established a dedicated data virus information line — 888-236-0444 — to assist people with questions and to inform them how they can protect themselves. It is available 7 a.m. to 7 p.m. beginning Saturday, March 15, and continuing Monday through Friday. Spanish-speaking operators are available.
• The hospital is offering free identity- and credit-protection services for a year. More information is available at http://www.vvh.org or by calling the virus information line above.
The hospital also has upgraded and expanded its IT security and procedures, Gavrell said.