OH Muhlenberg, LLC Data Breach (2015)

OH Muhlenberg, LLC announced that its hospital located in Greenville, KY, has experienced a security incident affecting some of the hospital's computers. The hospital is providing notice to individuals that may have been affected by the incident and offering one year of complimentary identity protection services to those individuals. The hospital regrets any inconvenience or concern this incident may cause. On September 16, 2015, the Federal Bureau of Investigation (FBI) notified the hospital of suspicious network activity involving third parties. Upon learning this information, the hospital took immediate action, including initiating an internal investigation and engaging a leading digital forensics and security firm to investigate this matter. Based upon this review, the hospital confirmed that a limited number of computers were infected with a keystroke logger designed to capture and transmit data as it was entered onto the affected computers. The infection may have started as early as January 2012. The hospital understands the importance of protecting the privacy and security of its providers', patients' and employees' information. Upon learning of the incident, the hospital took prompt steps to address and contain it, including immediately blocking the external unauthorized IP addresses, taking steps to disable the malware and continuing to enhance the security of its systems moving forward. The affected computers were used to enter patient financial data and health information, information about persons responsible for a patient's bill and employee/contractor data, including potentially name, address, telephone number(s), birthdate, Social Security number, driver's license/state identification number, medical and health plan information (such health insurance number, medical record number, diagnoses and treatment information, and payment information), financial account number, payment card information (such as primary account number and expiration date) and employment-related information. Additionally, some credentialing-related information for providers may be impacted. The hospital also believes that the malware could have captured username and password information for accounts or websites that were accessed by employees, contractors or providers using the affected terminals. The hospital has no indication that the data has been used inappropriately. However, out of an abundance of caution, OH Muhlenberg, LLC is providing notice to individuals whose information was maintained in the hospital's electronic patient records database; persons employed by or contracted for specific services by the hospital on and after January 1, 2012; as well as providers who were credentialed or re-credentialed for privileges at the hospital in 2012.