Notice of VMMC Security Event

Virginia Mason Medical Center CyberSecurity Event

The health and safety of Virginia Mason Medical Center (VMMC) patients, staff and community is our top priority. VMMC takes the protection and proper use of patient information very seriously. We are notifying the public about a data security incident that may have exposed some patient and employee personal information.

What happened?

Between January 16 and January 20, 2022, VMMC experienced a security incident in which three servers were intruded by an unauthorized external third party. Upon discovery of the incident, VMMC immediately secured the servers and initiated an investigation involving its internal cybersecurity team. VMMC also engaged an external forensics vendor to determine the manner and scope of any potential compromise of information present on the servers. On April 20, 2022, personally identifiable and/or protected health information was found to be present in some of the files on the servers that may have been accessed or viewed by the unauthorized party. However, there was no evidence that the information was exfiltrated or left the system. The event impacted 1523 individuals.

What information was involved?

The information may have involved: Name, date of birth, email address, phone number, social security number, health insurance number, and possibly the presence on a COVID vaccine waiting or scheduling list, or symptoms related to COVID screening and surveillance. Impacted individuals will be notified as required by HIPAA and state law.

What we are doing.

VMMC conducted a comprehensive investigation of the incident. The FBI was notified as well. Upon discovery, the involved servers were quickly removed from the network. The involved servers were isolated for investigation and subsequently will no longer be used. New servers containing updated security and software were put in place. The forensic vendor, and other partners, reviewed each file that the unauthorized party may have accessed to determine what, if any, personal or protected health information was present.

We have no evidence that the information left our system, but some of the data may have been viewed. Therefore, we are notifying impacted individuals of the situation.

To help relieve concerns and restore confidence following this incident, we have secured the services of Kroll to provide notification and in some cases, identity monitoring at no cost to affected patients’ and employees. Kroll has extensive experience helping people who have sustained an unintentional exposure of confidential data.

What you can do.

Though we have no evidence that the information has been misused, it is always prudent to review health care statements for accuracy and report any services or charges that you did not incur to your provider or insurance carrier. The Federal Trade Commission also has information regarding identity theft protection. You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft or call them 1-877-IDTHEFT (438-4338).

VMMC regrets this event and any concern it may cause. We strive to always maintain the privacy and security of our patients’ and employees’ protected information.

If you need more information about this event, we have retained Kroll, a trusted partner, to manage a call center that can answer specific questions about this event. To contact Kroll, please call (855) 503-3372, Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time.

Media questions should be directed to the Media Hotline: 253-382-3889; [email protected].