UCHealth warns patients, employees of cybercriminal's data breach: What we know
Colorado health care giant UCHealth on Friday warned its patients, employees and providers to be vigilant about any activity involving their personal information following a data breach involving one of its vendors.
UCHealth characterized the breach as the result of actions by a lone, unidentified cybercriminal who accessed a variety of records held by business operations software company Diligent Corp. Here's what we know and how to protect yourself if you're worried that your personal information is compromised.
What happened in the UCHealth data breach?
Health system officials said that Diligent provides online hosted services for UCHealth, and its software was accessed and attachments downloaded by the cybercriminal. The downloaded documents may have included names, addresses, dates of birth and treatment-related information. Social Security numbers and other information may have been accessed "in very limited cases," according to UCHealth.
The health system's email and electronic medical record systems were not accessed, according to a news release.
Was patient data used or sold following the breach?
UCHealth officials wrote that "we have no reason to believe the data taken from Diligent's system went beyond the cybercriminal or was misused in any way." However, they encouraged patients, employees and providers to watch for any signs of suspicious activity or identity theft.
UCHealth apologized for the concern caused by the breach and says it was told that Diligent has taken additional steps to protect the data it stores.
What should I do if I'm concerned that my data has been compromised?
Those with additional questions are directed by UCHealth to call 855-624-6798 from 7 a.m. to 4:30 p.m. weekdays.
John Buzzard, a financial fraud analyst at Javelin Strategy and Research, told USA TODAY that people with no evidence of identity fraud should still take advantage of their one annual credit review, which is free from each bureau: Equifax, Experian and TransUnion.
If you’ve received an indication that an account has been tampered with or credit has been extended in your name, you should contact that company or financial partner directly and promptly.
“There is no perfect way to validate that your identity has been stolen until you start to see material account-based charges or financial losses,” Buzzard said.
Consumers can also purchase identity protection services that provide preemptive warnings when unusual activity starts to occur.
What should you do if your identity is stolen?
Freeze your credit. This should be the first step at the sign of a scam so you can potentially limit the damage going forward.
File a police report. Some financial institutions require this step to gain access to other coverage. Do this at your local law enforcement agency if they’ll accept it.
Write paper letters to any service providers that wrongly opened accounts in your name. Buzzard suggests writing concise, drama-free letters that provide the details of the fraud. Make it clear that you’ve been a victim, attach the police report and follow up. The goal is to get each account closed and work toward expungement so you’re no longer liable for the money. Remember that each lender and credit agency needs to get a letter.
Be patient and tenacious. “It’s your problem to fix, you have to advocate for yourself,” Buzzard said, and despite being frustrating, the best results go to those who are concise and follow up with each piece of the financial system until the problem is resolved.
Get an attorney. If things get really bad, some consumers consider filing for bankruptcy or attempting to obtain a new Social Security number entirely, but Buzzard said a $1,200 bankruptcy filing fee would probably be better used to see a good attorney.
Contributing: Nick Penzenstadler, USA TODAY
This article originally appeared on Fort Collins Coloradoan: UCHealth warns patients, employees of data breach by cybercriminal
