NewsHillsborough County

Actions

'Cybersecurity event' impacts Tampa General patient information

TGH said the information varied but may have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information and more
tgh.png
Posted
and last updated

Tampa General Hospital announced that an unauthorized third party accessed some patient information in May during a "cybersecurity event."

The hospital said in a notice that the third party got the files in its system between May 12 and May 31. The hospital now says the event impacted 1.2 million people.

TGH said it varied by individual, but some of the information accessed may have included names, addresses, phone numbers, dates of birth, Social Security numbers, health insurance information, medical record numbers, patient account numbers, dates of service, and limited treatment information.

The hospital is mailing letters to people whose information may have been involved, the notice said and will provide credit monitoring and identity theft protection services to those whose Social Security number was involved.

Travis Horn was treated at Tampa General Hospital after a recent crash, where his truck was hit, causing a rollover.

But now he says he's got more to worry about than just his injuries because of the data breach.

“I’m going to keep a closer eye on my credit and see what’s happening with my debit and credit cards and make sure there are no erroneous charges in my accounts.”

LMG Security CEO Sherri Davidoff says the hospital deserves credit for catching the breach before the data was encrypted.

“Kudos to the hospital for employing some of this latest and greatest technology that helped them to prevent operational outages. Because when we are dealing with hospitals, that’s what I care about the most. Patient safety. Patient care. You don’t want delays in procedures. There are studies that link ransomware attacks to increased mortality rates and things like that, and they really successfully avoided the worst of it.”

Dr. William McGrogan says he’s been a doctor for 25 years, including time at different hospitals.

“Certainly, we don’t check our personal email at the hospital. There are a lot of things we can’t do in the hospital on those computers. It’s a totally different world. Trying to make it very secure.”

He now has his concierge practice in Tampa and says he takes protecting patient info very seriously, employing a third-party company to secure it.

“We are hearing about these things so frequently, right? It seems like every day, we are hearing about a data breach. I know they are trying to combat that just like at home when we get spam," said McGrogan.

TGH says they are notifying those who might have been affected by the breach and offering free credit and identity theft protection services.

The federal government says the healthcare sector alone has had nearly 300 breaches this year, potentially impacting almost 40 million people.

“It’s incumbent on people who have our information to help keep it safe, especially when the breach is such a large one. And so I hope they are taking action to mitigate that and make sure it doesn’t happen again," said Horn.

TGH encouraged patients to monitor and review statements from their health insurer and healthcare providers and to contact them if they see any services they didn't receive.

TGH said the unusual activity was noticed through proactive monitoring tools on May 31. TGH said, in part:

We immediately took steps to contain the activity and began an investigation with the assistance of a third-party forensic firm. Fortunately, TGH’s monitoring systems and experienced technology professionals effectively prevented encryption, which would have significantly interrupted the hospital’s ability to provide care for patients. However, the investigation determined that an unauthorized third party accessed TGH’s network and obtained certain files from its systems between May 12 and May 30, 2023.

TGH reported the event to the FBI and provided information to support its investigation of the criminal group responsible.

The hospital said the electronic medical record system was not involved or accessed in the event.

The hospital said its implemented additional defensive tools and increased monitoring in light of the event.