St. Mary’s Regional Medical Center (the “Facility") is providing notice of an incident that involved our patients' protected health information ("PHI"). While letters were mailed to potentially affected patients on May 17, 2023, our Facility is now posting notice here as several letters were returned as undeliverable on June 28, 2023.

What Happened

On January 18, 2023, our business associate became aware of suspicious email activity in an authorized user’s email account and determined that, on or about January 9, 2023, this user’s email account had been accessed without authorization as a result of a phishing incident. “Phishing” means that the user was tricked into sharing login information which enabled an unauthorized person to access the email account. Our business associate immediately reset the account credentials and launched an investigation into the nature and scope of the incident. The investigation found that the user’s email account was only accessed through a web browser, and while certain emails may have been accessed by the unauthorized person, there is currently no evidence that suggests any PHI in the emails were the target of the attack or otherwise copied or misused in any way. Nevertheless, an extensive effort was made to match patient information in the emails with available mailing addresses in our system, and our Facility is providing notice of the incident to impacted patients in an abundance of caution and so they can take steps to protect their information if they find it appropriate to do so. 

What Information Was Involved

The potentially impacted emails contained the patient’s full name, patient account and/or medical record number, admission and/or discharge date, a brief summary of the diagnosis and/or visit outcome, and in some instances, associated billing amounts. Please note the emails did not contain Social Security numbers, credit card numbers or other financial information, and generally did not include any email, phone number, or mailing address. 

What We are Doing

Our Facility began mailing notification letters on May 17, 2023. In addition, email security measures are being reviewed and enhanced in light of the incident, as well as additional training and security reminders for relevant staff. While our Facility is unaware of any actual or attempted misuse of PHI, we are offering impacted patients with 12 months of identity surveillance and restoration services at no charge.

More Information

Our Facility is committed to providing quality care, including protecting PHI. Individuals with additional questions, may call our dedicated assistance line at 800-984-9630 (toll-free), Monday – Friday, 9:00 a.m. to 11:00 p.m. Eastern Time, and Saturday – Sunday, 11:00 a.m. to 8:00 p.m. Eastern Time, excluding holidays.  This line will remain open until September 26, 2023. Please provide engagement number B091077 when calling.

If you did not receive a letter, but would like to know if you were affected, please contact our dedicated assistance line.