Cyber Incident Victim: Saint Francis Health System

On May 31, 2023, Progress Software Group, the developer of the MOVEit file transfer platform, notified its customers, including Saint Francis Health System (SFHS), of a vulnerability within the software. This vulnerability was identified as potentially allowing unauthorized access to customer MOVEit databases. Upon receiving this notification, SFHS took immediate steps to address the vulnerability and initiated an investigation into the matter. The subsequent investigation determined that an unauthorized actor had successfully exploited this specific vulnerability in the MOVEit software. The exploitation occurred on May 28, 2023, when the attacker copied files out of the SFHS MOVEit database.

The investigation involved a comprehensive review of the files that were accessed and copied by the unauthorized individual. This review determined that the incident was confined to the MOVEit system and did not impact other SFHS systems. Specifically, the organization's electronic medical records were confirmed to be separate from the MOVEit platform and were therefore entirely unaffected by this event. No information was lost or deleted from SFHS systems as a result of the incident; the unauthorized activity was limited to the copying of files from the MOVEit database.

The scope of the incident was not universal across all SFHS patients. The data exposure was limited strictly to individuals whose information was contained within the specific files copied from the MOVEit system. The review of these files concluded that they contained limited patient information related to billing and invoices for medical devices. The majority of the individuals affected were identified as being SFHS employees and their dependents. The specific data elements present in the copied files varied but could have included an individual's name, date of birth, medical record number, billing account number, and information concerning a medical device. A critical finding of the review was that the involved information did not include more sensitive financial or personal identifiers; patients' financial account information and Social Security numbers were not contained in the compromised files.

In response to these findings, SFHS undertook a notification process. On July 26, 2023, the organization began mailing individual notification letters to all persons whose information was identified as having been involved in the incident. The notification letters detailed the nature of the incident and the specific types of information that were potentially exposed. As a precautionary measure, the letters advised patients to carefully review statements they receive from their healthcare providers and to contact the provider directly if they identify any services listed that they did not actually receive.

To support affected individuals and answer any questions they might have, SFHS established a dedicated, toll-free call center. This resource was made available at the phone number (866) 547-8656. The call center operates during business hours, specifically Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays. This provided a direct channel for individuals to seek information and clarification regarding the event.

From a technical and security standpoint, SFHS implemented additional safeguards to help prevent a similar incident from occurring in the future. This response included applying the security patches provided by the software vendor, Progress Software Group, to address the known vulnerability that was exploited. The organization also expressed a commitment to continuing to look for ways to enhance its file transfer protocols and overall security posture. SFHS reiterated its commitment to maintaining the privacy and security of its patients' information and stated that it takes such events very seriously. The entire incident was a result of the exploitation of a vulnerability in a third-party software product and was not due to a breach of SFHS's internal electronic medical record systems or other primary healthcare databases. The impact was confined to data stored within the specific MOVEit file transfer system used by the organization.