Excellent detail here from Jeremy Saluka at OMC:
Situation update as of 15:00 CST Thursday, Feb. 6, 2014:
Contrary to any rumors you may have heard, OMC has no evidence that this breach of data was initiated internally (e.g., by an OMC employee). We’re working with the FBI’s Cyber Crimes division, technical computer forensics experts, and other resources to learn as much as it can about the origin/nature of the breach. As with many online information breaches, this process can be extremely complex and time-consuming.
We also continue to have no evidence that data compromised in this illegal incident included any employee or patient protected health information (PHI), medical records, and financial institution accounting/routing numbers.
Again, we are treating this incident as a criminal act, and some of our public-facing communications will be framed/shaped by confidentiality and legal requirements related to an ongoing investigation. OMC will provide you with further updates with additional relevant information as it becomes available. Given the extremely sensitive and rapidly evolving nature of information associated with this event, as well as the related criminal investigation, OMC will not be providing live or recorded interviews on this topic until further notice.
OMC employees whose personal information may have been unlawfully accessed officially reside in Minnesota, Iowa, Wisconsin, Oklahoma, and Oregon. Each state has security breach notification statutes that require companies to provide notice to individuals whose personal information was, or is reasonably believed to have been, subject to a security breach. We are working closely with legal counsel to make sure OMC’s employee communications on this breach satisfy, if not exceed, the requirements of those state statues. We also continue to follow related Federal requirements.
Today, Thursday, Feb. 6, OMC took these additional actions in its ongoing efforts to prevent or reduce any adverse effects of the data breach:
· OMC has allocated temporary space, personnel, and equipment, as well as time, within its facilities for OMC employees to act on the identity-protection recommendations we made in our initial all-staff communication on Feb. 5, 2014 (e.g., requesting free Fraud Alerts with the three leading credit-reporting agencies, filing IRS Identity Theft Affidavits, changing certain online account passwords, etc.).
· OMC has initiated communication regarding common questions about identity theft and identity protection with all employees, and has partnered with a Rochester City Police Department Advanced Crime Prevention/CPTED Specialist who will lead 30-minute identity-theft-prevention info sessions with OMC employees during the week of Feb. 10-14.
· OMC has reiterated its core key messages to all employees about the importance of proactively and regularly monitoring sensitive personal information, including financial and identity-related information.
Again, Olmsted Medical Center considers this incident an extremely serious, unlawful, and unauthorized breach of private and privileged information, and is aggressively investigating the event. As our investigation into this breach continues, we will continue to provide regular updates to our employees and, as is possible, to interested media outlets.
Here's the initial email to the media yesterday on the issue --
Subject: Proactive Announcement RE: OMC Employee Data Breach
This message is a heads-up proactive announcement from Olmsted Medical Center (OMC) to local/regional media representatives regarding a recently discovered unlawful and unauthorized breach of OMC’s employee database records.
Olmsted Medical Center considers this breach to be a criminal act and is responding accordingly. All known details as of 13:45 CST follow. Related inquiries should be directed to Jeremy Salucka at 507.292.7203 or firstname.lastname@example.org.
OMC will provide you with further updates with additional relevant information as it becomes available. Given the extremely sensitive and rapidly evolving nature of information associated with this event, as well as the related criminal investigation, OMC will not be providing live or recorded interviews on this topic until further notice.
Situation: On Monday, Feb 3, 2014, Olmsted Medical Center became aware of unlawful and unauthorized electronic access to information stored in OMC’s employee database. Today, Feb. 5, 2014, OMC verified that this breach involved some personal data of OMC employees. This breach is similar to the complex tax fraud breaches occurring throughout the world right now. At this time, we have no evidence that this breach includes any protected health information (PHI) of OMC employees, their spouses/partners, or dependents. We also have no evidence at this time that this data breach involves any protected health information for any of our patients.
OMC’s Ongoing Response:
• OMC has dedicated internal and external resources to the investigation of and response to this incident
• OMC has informed appropriate government and law-enforcement agencies as required by law, including the FBI’s Cybercrimes Division and the Internal Revenue Service
• OMC has proactively communicated with all employees about this incident and has advised them to take the following actions take the following preventive steps to protect their identities and personal information, as well as the personal information of their spouses/partners and/or dependents:
o Immediately change any usernames and passwords for online financial accounts and notify the account providers of the incident
o Complete IRS form 14039, the Identity Theft Affadavit, attach required identity-verification documentation as directed on the form, and submit the information by FAX to the IRS at 855.807.5720
o Contact any one of the consumer reporting agencies (Experian, Equifax, or TransUnion) to activate a free 90-day fraud alert
o Carefully review personal financial accounts, credit reports, and other financial data for suspicious activity and immediately contact the relevant financial institution or credit agency with any concerns
• Olmsted Medical Center is arranging one year of free identity theft-protection services to OMC employees, spouses/partners, and dependents via LegalShield.
Olmsted Medical Center considers this incident an extremely serious, unlawful, and unauthorized breach of private and privileged information, and is aggressively investigating the event. As our investigation into this breach continues, we will provide regular updates to our employees.
Marketing & Communications
Olmsted Medical Center