Harris Health takes the privacy and security of its patients’ information very seriously. This notice concerns a cybersecurity event that involved some of that information.
As previously reported, Harris Health is among the numerous organizations to have its data targeted during the recent MOVEit cyberattack. Harris Health uses MOVEit, a file transfer software, to send and receive files. This software helps Harris Health do its work. MOVEit recently told its customers about a problem with its software. This problem allowed cyber criminals to take data from MOVEit customers, such as Harris Health. Harris Health is one of many MOVEit customers from across the U.S. and around the world whose data was taken. This notice explains what happened, actions Harris Health has taken in response, and offers steps patients may consider taking.
What Happened? On June 2, 2023, Harris Health learned that a vulnerability in the MOVEit software allowed an unauthorized actor to access its MOVEit server. Upon learning of the vulnerability, Harris Health immediately implemented security safeguards to address the vulnerability and secure its MOVEit server. Harris Health also promptly launched an investigation into the nature and scope of the event with the assistance of third-party cybersecurity experts. Harris Health’s investigation determined that the unauthorized access to its MOVEit server occurred on May 28, 2023, during which time certain files were downloaded from that system. Harris Health then began a detailed review of the files involved to determine what information was involved and to whom it related.
What Information Was Involved? Based on Harris Health’s review to date, Harris Health determined that some of the files downloaded included patient information. The information involved varied by individual but may have included one or more of the following: name; address; date of birth; Social Security number; medical record number; immigration status; driver’s license number or other government-issued identification number; health insurance information; and/or information related to care received at Harris Health, such as procedure information, treatment cost, diagnosis, medications, provider name, and/or date(s) of service. The incident did not impact Harris Health’s electronic medical records and to date, Harris Health believes that it did not include patients’ bank or other financial account information.
The incident did not affect all Harris Health patients, but only those whose information was included in the files downloaded from its MOVEit server. All other systems at Harris Health operate independently from the MOVEit software and were not impacted. The Harris Health network remains fully functional and operational and there has been no impact to patient care or services.
What We Are Doing? Harris Health is committed to maintaining the privacy and security of its patients’ information and takes this event very seriously. To help prevent something like this from happening in the future, Harris Health has implemented all patches that the provider of MOVEit has recently made available and taken other remediation steps to secure its MOVEit server. Harris Health will continue to look for ways to enhance its secure file transfer protocols.
On July 21, 2023, Harris Health began mailing letters to individuals whose information was identified through our review and for whom Harris Health has sufficient contact information. Harris Health is also offering individuals whose Social Security number was involved complimentary credit monitoring and identity theft protection services.
What You Can Do? Patients are encouraged to review statements from their health insurer and healthcare providers, and to contact the insurer or provider if they see any services they did not receive. Harris Health also established a dedicated call center for patients to call with questions. If you believe you are affected, but do not receive a letter by August 31, 2023, please call 1-866-347-7885, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time, excluding holidays.
For More Information. If you have any questions, please call Harris Health’s dedicated, toll-free incident response line at 1-866-347-7885, Monday through Friday, between 8 a.m. and 5:30 p.m. Central Time.