Saint Francis Health System

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

Saint Francis Health System (SFHS) in Tulsa, Oklahoma, experienced a data breach due to a vulnerability in a file transfer platform called MOVEit, as reported on July 26, 2023. The breach occurred when an unauthorized person exploited a vulnerability in MOVEit and copied files from SFHS’s database on May 28, 2023[1].

The compromised files contained limited patient information related to billing and invoices for medical devices, including names, dates of birth, medical record numbers, billing account numbers, and medical device information. However, the breach did not include patients’ financial account information or Social Security numbers. Not all SFHS patients were affected, only those whose information was in the files copied from the MOVEit database. SFHS’s electronic medical records system was separate from MOVEit and was not impacted by the breach[1].

In response to the incident, SFHS began mailing notification letters to the affected individuals on July 26, 2023. They also established a dedicated call center to answer patients’ questions and encouraged patients to review statements from their healthcare providers for any services they did not receive. To prevent future incidents, SFHS implemented additional security measures, including patches provided by the vendor, and continued to enhance their file transfer protocols[1].

The information taken during the breach did not include Social Security numbers, driver’s license numbers, or financial information, according to a hospital spokeswoman[2]. It’s important to note that this incident is separate from other healthcare-related cybersecurity incidents, such as the ransomware attacks on Ardent Health Services, which affected multiple healthcare systems including the University of Kansas Health System St. Francis Campus[3][9][10][11][12][13].

For further details and updates, affected individuals can contact the SFHS call center at (866) 547-8656 during the specified hours[1].

Citations:

  1. https://www.saintfrancis.com/about-us/news/individuals-moveit-notifications
  2. https://tulsaworld.com/news/saint-francis-health-system-confirms-data-breach/article_e92d7b77-71f3-542e-aad8-526b9eeade04.html
  3. https://www.ksnt.com/news/local-news/this-is-every-healthcare-ceos-nightmare-topeka-hospital-hit-in-ransomware-attack-services-impacted/
  4. https://www.bitdefender.com/blog/hotforsecurity/data-breach-at-roper-st-francis-hospital-affects-6000-patients/
  5. https://healthitsecurity.com/news/350k-proposed-settlement-reached-in-saint-francis-data-breach-lawsuit
  6. https://www.govtech.com/security/ransomware-impacts-health-care-systems-in-six-states
  7. https://www.hipaajournal.com/350000-settlement-reached-resolving-saint-francis-healthcare-data-breach-lawsuit/
  8. https://www.hcinnovationgroup.com/cybersecurity/news/13027494/saint-francis-health-system-acknowledges-breach-but-doesnt-pay-ransom
  9. https://www.wibw.com/2023/11/27/details-released-into-ardent-ransomware-attack-that-may-have-effect-topeka-patients/
  10. https://www.ksnt.com/news/local-news/ardent-health-services-systems-restored-after-ransomware-attack/
  11. https://www.cjonline.com/story/news/local/2023/11/28/hospital-ransomware-attack-forces-closure-topeka-st-francis-emergency-room/71726505007/
  12. https://www.wibw.com/2023/12/02/topeka-hospital-still-feeling-effects-recent-security-breach/
  13. https://www.kansascity.com/news/local/article282469858.html
Breach Submission Date Jul 26, 2023
Converted Entity Name Saint Francis Health System
Converted Entity Type Healthcare Provider
State OK
Individuals Affected 18,911
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes