Notice of VMMC Security Event

Virginia Mason Medical Center Phishing Security Event

The health and safety of Virginia Mason Medical Center (VMMC) patients, staff and community is our top priority. VMMC takes the protection and proper use of patient and employee information very seriously. We are notifying the public about a data security incident that may have exposed some patient and employee personal information.

What happened?

An unauthorized person may have accessed some of VMMC’s staff email accounts between December 21, 2021 and January 3, 2022 through an email Phishing event. VMMC initiated an investigation and reviewed the contents of the emails to determine if sensitive information was within those accounts. On January 18, 2022, VMMC determined that protected health information was present in some of the emails. The event impacted just under 3,000 individuals.

What information was involved?

The information may have involved protected health information and employee information, including name, address, date of birth, dates of service, medical record numbers, and clinical information about medical treatment or diagnoses. For a handful of individuals, the information may have involved Social Security Number, passport information, driver’s license, or health insurance number. Patients and employees will be notified as required by HIPAA and state law.

What we are doing.

VMMC conducted a thorough investigation of the events. Blocks to the phishing domain were quickly put in place, credentials and passwords were reset, and suspicious activity was quarantined. Staff will be reeducated on steps to ensure the security of protected information and to guard against phishing attacks. VMMC reviewed every email involved to determine the information that may have been present. We have no evidence that the information was actually accessed or left our system, but out of an abundance of caution, we are notifying you of the situation.

To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide notification and in some cases, identity monitoring at no cost to affected patients’ and employees. Kroll has extensive experience helping people who have sustained an unintentional exposure of confidential data.

What you can do.

Though we have no evidence that the information has been misused, it is always prudent to review your health care statements for accuracy and report any services or charges that you did not incur to your provider or insurance carrier.

VMMC regrets this event and any concern it may cause. We strive to always maintain the privacy and security of our patients’ and employees’ protected information.

If you need more information about this event, we have retained Kroll, a trusted partner, to manage a call center that can answer specific questions about this event. To contact Kroll, please call 1-855-541-3571, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time. Media questions should be directed to the Media Hotline: 253-382-3889; [email protected].