Indianapolis, Indiana, October 1, 2021 -- Eskenazi Health has announced that a cyberattack conducted by cyber criminals and discovered by Eskenazi Health on or about August 4, 2021, resulted in the compromise of personal information of some employees and patients, including health information. Eskenazi Health, a public hospital division of the Health & Hospital Corporation of Marion County (HHC), is leading the investigation on behalf of HHC and its divisions.
The Cyberattack and Eskenazi Health’s Response
On or about August 4, 2021, Eskenazi Health’s information security team became aware of suspicious activity on its system. Upon detecting this activity, Eskenazi Health immediately took steps to take its network offline in order to protect its information and to maintain the safety and integrity of patient care. Eskenazi Health has a comprehensive clinical information system and followed its established downtime procedures.
In accordance with its information security protocols, Eskenazi Health promptly investigated this activity to identify the scope and nature of the attack and determined that sophisticated cyber criminals had gained access to its network on or about May 19, 2021, using a malicious internet protocol address. The cyber criminals also disabled security protections, which made it difficult to detect their activity until they launched the cyberattack.
Eskenazi Health values its patients, employees and providers and is committed to privacy. We quickly engaged an independent forensic team to investigate and contain the incident and to protect against further criminal activity. Eskenazi Health’s forensic team conducted an extensive investigation and assisted Eskenazi Health with mitigation steps to ensure the cyber criminals were no longer on its network. Eskenazi Health also notified the FBI and enabled additional security measures to further enhance its network security. There is no evidence that any files were ever locked by the cyber criminals, and Eskenazi Health did not make a ransom payment to the cyber criminals.
Despite Eskenazi Health’s efforts, data was stolen from its network by the cyber criminals and they released some of the data on a portion of the Internet known as the dark web. This data included certain personal and health information of some patients and employees of HHC. Impacted individuals are discussed below.
Eskenazi Health is constantly evaluating its security systems and will continue to make improvements as necessary to protect the privacy and security of information on an ongoing basis. Eskenazi Health has been proactive in its efforts to implement policies, procedures, and safeguards to prevent data compromises from occurring in the future and has worked with its forensic team to identify any areas for improvement.
The Information Affected
Through its review of data, Eskenazi Health has determined that medical, financial, and demographic information of certain individuals was obtained by the cyber criminals and posted on the dark web. The information impacted may include: name, date of birth, age, address, telephone number, email addresses, medical record number, patient account number, diagnosis, clinical information, physician name, insurance information, prescriptions, date(s) of service, driver’s license number, passport number, face photos, Social Security number, and credit card information. In the case of deceased patients, this information also may include cause of death and date of death. Impacted individuals will receive a letter detailing which specific types of their information were involved in the incident.
Impacted Individuals
Impacted individuals, or their loved ones, may wish to review information maintained by each of the credit reporting bureaus and any applicable financial institutions to detect any suspicious activity. Contact the credit bureaus at the following numbers:
- Equifax 800-525-6285
- Experian 888-397-3742
- Trans Union 800-680-7289
Identity theft protection, including credit monitoring, is available for impacted individuals at no cost to them. Instructions on how to enroll in the identity theft protection program will be included in each impacted individual’s letter. If Eskenazi Health becomes aware of any additional material information, it will make such information available via its incident website, located here: https://www.eskenazihealth.edu/cyber-incident.
Individuals who have additional questions regarding this incident should contact 317-880-4814. Please be prepared to provide Engagement Number B019316 when speaking with a representative.
Press inquiries should be directed to:
Michelle O’Keefe
Eskenazi Health Public Affairs
public.affairs@eskenazihealth.edu
317-880-4850
About Eskenazi Health
For more than 160 years, Eskenazi Health has provided high-quality, cost-effective, patient-centered health care to Central Indiana. Accredited by The Joint Commission, nationally recognized programs include a Level I trauma center, regional burn center, comprehensive senior care program, women’s and children’s services, teen and adolescent care programs, Lifestyle Health & Wellness Center, Sandra Eskenazi Mental Health Center, and a network of primary care sites located throughout the neighborhoods of Indianapolis known as Eskenazi Health Center. In partnership with the Regenstrief Institute, Eskenazi Health conducts groundbreaking work that informs health information technology around the globe. Eskenazi Health also serves as the sponsoring hospital for Indianapolis Emergency Medical Services. As the public hospital division of the Health & Hospital Corporation of Marion County (HHC), Eskenazi Health partners with the Indiana University School of Medicine whose physicians provide a comprehensive range of primary and specialty care services. In 2013, the Sidney & Lois Eskenazi Hospital opened, providing a new modern and efficient facility and becoming Central Indiana’s first Leadership in Energy and Environmental Design (LEED®) Gold health care campus. Eskenazi Health has been named one of Becker’s Hospital Review’s “150 Top Places to Work in Healthcare” for the past four consecutive years.
-------------------------------------------------------------------------------------------------------------------
Posted Oct. 1, 2021
Substitute Notice for Affected Individuals
Eskenazi Health is publishing this substitute notice to inform impacted individuals of a recent cyberattack that resulted in cyber criminals compromising certain personal information, including protected health information.
What happened?
On or about August 4, 2021, Eskenazi Health’s information security team became aware of suspicious activity on its system. Upon detecting this activity, Eskenazi Health immediately took steps to take its network offline in order to protect its information and to maintain the safety and integrity of patient care. Eskenazi Health has a comprehensive clinical information system and followed its established downtime procedures.
In accordance with its information security protocols, Eskenazi Health promptly investigated this activity to identify the scope and nature of the attack and determined that sophisticated cyber criminals had gained access to its network on or about May 19, 2021, using a malicious internet protocol address. The cyber criminals also disabled security protections, which made it difficult to detect their activity until they launched the cyberattack.
Eskenazi Health quickly engaged an independent forensic team to investigate and contain the incident and to protect against further malicious activity. Eskenazi Health’s forensic team conducted an extensive investigation and assisted it with mitigation steps to ensure the cyber criminals were no longer on its network. Eskenazi Health also notified the FBI and enabled additional security measures to further enhance its network security. There is no evidence that any data was ever locked by the cyber criminals, and Eskenazi Health did not make a ransom payment to the cyber criminals.
Despite Eskenazi Health’s efforts, data was stolen from its network by the cyber criminals and they released a portion of the data on the Internet known as the dark web. This data included certain personal and health information of some patients and employees.
What information was involved?
Through its review of data, Eskenazi Health has determined that medical, financial, and demographic information of certain individuals was obtained by the cyber criminals and posted on the dark web. The information impacted may include: name, date of birth, age, address, telephone number, email addresses, medical record number, patient account number, diagnosis, clinical information, physician name, insurance information, prescriptions, date(s) of service, driver’s license number, passport number, face photos, Social Security number, and credit card information. In the case of deceased patients, this information also may include cause of death and date of death. Impacted individuals will receive a letter detailing which specific types of their information was involved in the incident.
What you can do?
Impacted individuals, or their loved ones, may wish to review information maintained by each of the credit reporting bureaus and any applicable financial institutions to detect any suspicious activity. Contact the credit bureaus at the following numbers:
- Equifax 800-525-6285
- Experian 888-397-3742
- Trans Union 800-680-7289
Identity theft protection, including credit monitoring, is available for impacted individuals at no cost to them. Instructions on how to enroll in the identity theft protection program will be included in each impacted individual’s letter. If Eskenazi Health becomes aware of any additional material information, it will make such information available via its incident website, located here: https://www.eskenazihealth.edu/cyber-incident.
What has Eskenazi Health done?
Upon recognizing the attack, Eskenazi Health took the network offline, including disconnecting from the Internet. Eskenazi Health worked diligently with its forensic team, system by system, to perform a thorough review, testing and verification process prior to bringing its systems back online.
During the investigation, Eskenazi Health issued a preliminary notice on its website to advise the public of this incident while it worked to identify specific individuals impacted, as well as the exact nature of the information that was compromised.
Eskenazi Health is constantly evaluating its security systems and will continue to make improvements as necessary to protect the privacy and security of information on an ongoing basis. Eskenazi Health has been proactive in its efforts to implement policies, procedures, and safeguards to prevent data compromises from occurring in the future and has worked with its forensic team to identify any areas of improvement.
Eskenazi Health takes the privacy and security of information entrusted to it very seriously and will continue to implement improvements to secure all personal information it maintains. Eskenazi Health deeply regrets any inconvenience or worry this incident may cause.
Individuals who have additional questions regarding this incident should contact (855) 896-4446. Please be prepared to provide Engagement Number B019316 when speaking with a representative. The hours of operation are below:
Pacific Time: Monday – Friday, 6 am to 8 pm PT; Saturday – Sunday, 8 am to 5 pm PT
Central Time: Monday – Friday, 8 am to 10 pm CT; Saturday – Sunday, 10 am to 7 pm CT
Eastern Time: Monday – Friday, 9 am to 11 pm ET; Saturday – Sunday, 11 am to 8 pm ET
--------------------------------------------------------------------------------------------------------------------
Posted Aug. 24, 2021
Eskenazi Health experienced a cyber event on August 4. We have prepared for events such as this and we quickly acted in accordance with our information security protocols to maintain the safety and integrity of our patient care. The health system is open and operating with patient procedures and appointments underway. Our treatment of COVID-19 patients and our vaccination efforts are unaffected. We continue to conduct a thorough forensic evaluation of our systems.
Through our investigation, we have learned that some data that we maintain was obtained by bad actors and released online. Our forensic experts are monitoring for this, we have identified files that the hackers obtained, and we have begun the painstaking process of examining those files for any personal patient or employee information. If we find such information, we will notify the affected individuals in accordance with law and offer identity protection and credit monitoring services.
There is no evidence that any of our files were ever encrypted and we will not make any payment to the bad actors. Our system worked as it should and the quick action by staff, in accordance with our information security protocols, enabled us to maintain the safety and integrity of our patient care.
Employees, providers, patients, former patients and vendors should closely monitor bank and credit card statements, as well as other personal information, and report any suspicious activity to authorities and financial institutions. We encourage these individuals to obtain a free credit report from each of the credit reporting bureaus – Equifax, Experian and TransUnion. Individuals can also freeze, and unfreeze, their credit through the credit bureaus. In some cases, this is as easy as a button on their app. The credit bureaus can be reached through the following phone numbers:
- Equifax: 800.525.6285
- Experian: 888.397.3742
- Trans Union: 800.680.7289
We have notified the FBI regarding this event and are working with them on their investigation.
Thank you.