The data theft is part of an ongoing criminal investigation and appears to be connected to similar crimes in Georgia and other Alabama locations. The theft does not involve medical information and appears to be limited to patients born between 1988 and 1992, administrators said.
“We greatly regret this incident and we are committed to protecting our patients’ information and to providing assistance to protect the personal information of the patients affected,” said Teresa Grimes, CEO and administrator.
Grimes said she was notified by law enforcement on May 20 that some data had been accessed and removed from the hospital without authorization and in “direct violation of hospital policy.” Information taken appears to be limited to name, address, date of birth, Social Security number and medical record number. Detailed medical information, such as the patient’s treatment or diagnosis, was not included.
The 880 patients are only a fraction of the total records registered during the first quarter of the calendar year. Grimes said more than 24,790 patient records are on file for that period.
She said the information does not appear to have been accessed remotely, via a computer system breach, but rather appears to have been physically removed from the hospital facility.
Grimes said the theft of information is under investigation by law enforcement. “TRMC is not a target of that investigation and the hospital is cooperating, and will continue to cooperate, with investigators,” Grimes said. No local arrests had been made in the investigation as of late Tuesday evening.
Grimes said investigators had asked for confidentiality during the first 30-plus days of the investigation, which is why the hospital has waited until now to notify patients. By law, the patient notification must take place within 60 days of discovery.
“When we learned of the breach, we immediately initiated our own investigation,” Grimes said. “As part of the investigation, we are reinforcing our security policies and safeguards to protect further unauthorized access and use of patient information and to prevent harm to individuals affected …
“We are developing and implementing a corrective action plan to better protect our patients’ personal information … and we have consulted with an outside expert who has extensive experience investigating these types of issues.”
The hospital also is requiring immediate, mandatory training to all employees regarding the protection of patient information. The hospital employs 276 people and has 41 contracted employees working on its campus, Grimes said.
Grimes said it appears perpetrators are using some of the illegally obtained information to file fraudulent income tax returns with the Internal Revenue Services.
The hospital is providing one year of free identity protection resources to the 880 patients affected. “Affected patients have been sent information by U.S. mail with details regarding how to activate their protection, which is being provided by Experian through its ProtectMyID product,” Grimes said.
Grimes said the hospital staff understands the importance of the public’s trust and is deeply concerned. “On behalf of everyone at Troy Regional Medical Center, I want to express how much we regret this incident,” she said.