Prospect Medical cyberattack exposed 24,000 workers’ private information
More than 24,000 employees of Prospect Medical Holdings in Connecticut may have had some of their personal information, including Social Security numbers, exposed during the recent cyberattack that paralyzed many operations in three hospitals for nearly six weeks.
“For Prospect Medical employees and dependents, the information involved may have included their names and Social Security numbers,” attorney Sara M. Goldstein wrote to the Attorney General’s office.
Prospect also told the Attorney General’s office that 63 Connecticut residents who were patients at Prospect hospitals in California may have had their information breached, including patient names, health insurance and financial information. Of those breaches, 13 had Social Security numbers involved, according to the Attorney General’s office.
Goldstein said that Prospect mailed notifications to 24,130 Connecticut residents that their data may have been breached.
“Prospect Medical is offering Connecticut residents whose Social Security and/or driver’s license numbers were involved two-years of complimentary credit monitoring and identity protection services through IDX,” Goldstein wrote.
She added Prospect Medical also established a dedicated, toll-free incident response line to answer questions.
The email to employees obtained by The Connecticut Mirror said some former employees also may have had some personal information exposed and that company officials were alerting them as well.
“Our ongoing investigation determined that information pertaining to current and former Eastern Connecticut Health Network (ECHN) and Waterbury HEALTH employees and dependents was involved in the incident,” administrators wrote to staff in the email.
The breach impacts employees at all three Connecticut hospitals — Manchester Memorial Hospital, Rockville General Hospital and Waterbury Hospital.
ECHN spokeswoman Nina Kruse confirmed Monday that the company sent an email to employees Friday outlining the breach.
“These employees will also receive notification letters at home. The notices include instructions on how to enroll in complimentary credit monitoring and identity protection services,” Kruse said.
“These identity protection services include two years of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. These services are completely free to employees,” she added.
Prospect said its investigation of the cyberattack is still ongoing and the company has hired Kroll, a New York City based cybersecurity firm, to conduct it.
The email to employees contained more details about that investigation than was shared with the attorney general’s office.
The email said the investigation so far showed that an “unauthorized party gained access to our IT network between the dates of July 31 and August 3 … The unauthorized party accessed benefits administration files that contain information pertaining to current ECHN and Waterbury HEALTH employees and certain former employees.”
“To help prevent something like this from happening again, we have implemented, and will continue to adopt, additional safeguards and technical security measures to further protect and monitor our systems.”
The news comes as the hospitals try to recover from the nearly six-week cyberattack that forced them to divert patients to other hospitals, cancel nearly 50% of their elective surgeries and seek a $7.5 million up-front Medicaid payment from the state.
Last week, officials from Prospect Medical’s corporate offices joined local hospital administrators and representatives of Yale New Haven Hospital at the state Capitol, where they met with Gov. Ned Lamont and a group of about 30 legislators.
Several legislators said hospital officials warned that the three hospitals were in “dire” financial condition and still trying to recover from the cyberattack, with many of their computer systems slowly coming back online.
They urged lawmakers to speed up approval of the proposed sale of the three hospitals to Yale New Haven because, if it doesn’t happen soon, the hospitals may not remain financially viable, they said.
Sen. Saud Anwar, D-South Windsor, who helped organize the meeting between hospital officials and legislators, said the cyberattack has left the hospitals in perilous financial shape.
“If the Yale transaction does not go through, the chances are very high that they will not make it, or they will become a shell of themselves, with most things being transferred to other hospitals while they’re doing very, very basic things,” Anwar said. “It will not be sustainable anymore.”
Anwar is the co-chairman of the legislature’s Public Health Committee and a doctor who saw the impact of the cyberattack firsthand because of his affiliation as a contracted physician with Manchester Hospital.
Anwar told the CT Mirror he is considering holding a special legislative hearing to assess how the hospitals responded to the attack and to gauge the state’s response.
“I know we have a lot more to do and [need to] start to have these conversations, because it’s not a matter of if, it’s a matter of when more such attacks are going to happen,” Anwar said.