Conway Regional Health System officials admitted that patients’ personal and health information may have “inadvertent[ly]” been breached during an email phishing attack in June.
“Conway Regional Health System has become aware of a data security incident that may have resulted in the inadvertent exposure of patients’ personal and health information,” Conway Regional officials said in a letter to affected patients. “Although at this time there is no evidence that patient information was actually accessed or viewed, or any indication of anyone’s information being misused, Conway Regional Health System has taken steps to notify anyone who may have been affected by this incident, including sending letters to potentially impacted patients.”
The letter was signed by CEO Matt Troup on Aug. 23. However, the Log Cabin Democrat learned through one of the affected patients that there were varying letters distributed to the hospital’s patients depending on the degree they were affected.
The Log Cabin asked Conway Regional spokesman John Patton on Wednesday how many staff members and patients were affected by the data breach and what measures the hospital was taking to correct the issue. Ginger Daril, who is the director of public relations for Sells Agency, responded on the hospital’s behalf on Thursday with a typed statement that did not include specific information regarding the number of individuals affected or the steps taken to prevent future breaches.
According to a statement released by the hospital, Conway Regional discovered the data breach on June 26.
After learning “some employees’ email accounts had been accessed by an unknown, unauthorized third party as the result of an email phishing attack,” the hospital’s IT department and other “computer experts” launched an investigation, one of the letters sent to patients states.
This particular letter indicated the suspect “could have viewed or accessed” records including the patients’ name, address, social security number, health insurance information as well as “limited medical information.”
One patient from Conway County told the Log Cabin her husband received a letter that said his treatment information and medications list, along with his name and address, could have been breached.
The letters provided patients a toll-free number to contact regarding questions or concerns they had about the matter. However, operators answering the call center did not provide callers any additional information and instead “just read off the letter.”
The entire situation felt like a scam, the woman said.
“The letter itself seemed like a scam,” she told the Log Cabin. “The person on the phone said they didn’t know anything other than what the letter says.”
The woman also said she found it alarming that the breach was discovered in late-June, the letters to patients weren’t created until Aug. 23 and that she didn’t receive her letter until Friday.
“If someone was going to do harm to you, they would already be doing it by the time we found out,” she said.
Eventually, the woman said she was able to contact Chief Information Officer James Reed, who was able to help her feel “more at ease” about the situation. Reed provided additional details that were not included on the letter she received, she said.
Overall, the woman said she is pleased with the services her family receives at Conway Regional. But, she said she is concerned her family’s identities could be stolen and that she is working to freeze her family's credit accounts.
“I hate that this happened to them and to the patients,” she said. “All [a scammer] needs is our name and address to open an account in your name.”
In the statement Daril sent to the LCD, Conway Regional officials said they did not believe anyone’s information was intercepted.
“After a thorough internal and external investigation by cybersecurity experts, we did not identify that any individuals’ information was accessed, but out of an abundance of caution we notified those individuals whose information was contained in the email account,” the statement reads in part.
The hospital said it was committed to protecting its information systems and its patients’ information.
“We take the security of the information in our possession seriously and we regret any concern that this incident causes and remain committed to protecting information,” officials said.
Staff writer Marisa Hicks can be reached at firstname.lastname@example.org.